commit 003e16433142afd787ce4d62b6ef142d26eeb470
Author: Ritesh Khadgaray <khadgaray@gmail.com>
Date:   Tue Oct 15 14:59:22 2013 +0530

    fdo bug #67484 - Corrupted CustomShape crashes Xorg (edit)
    
    If t->bottom is close to MIN_INT, removing top can wraparound, so do the check properly.

diff --git a/.gitignore b/.gitignore
index 0f11496..f5bc098 100644
--- a/.gitignore
+++ b/.gitignore
@@ -79,6 +79,7 @@ test/scaling-test
 test/screen-test
 test/stress-test
 test/trap-crasher
+test/trap-invalid-crasher
 test/trap-test
 test/window-test
 *.pdb
diff --git a/pixman/pixman.h b/pixman/pixman.h
index 7ff9fb5..509ba5e 100644
--- a/pixman/pixman.h
+++ b/pixman/pixman.h
@@ -1030,7 +1030,7 @@ struct pixman_triangle
 #define pixman_trapezoid_valid(t)				   \
     ((t)->left.p1.y != (t)->left.p2.y &&			   \
      (t)->right.p1.y != (t)->right.p2.y &&			   \
-     (int) ((t)->bottom - (t)->top) > 0)
+     ((t)->bottom > (t)->top))
 
 struct pixman_span_fix
 {
diff --git a/test/Makefile.sources b/test/Makefile.sources
index b5fc740..0c22156 100644
--- a/test/Makefile.sources
+++ b/test/Makefile.sources
@@ -12,6 +12,7 @@ TESTPROGRAMS =			\
 	oob-test		\
 	infinite-loop		\
 	trap-crasher		\
+	trap-invalid-crasher	\
 	alpha-loop		\
 	scaling-crash-test	\
 	scaling-helpers-test	\
diff --git a/test/trap-invalid-crasher.c b/test/trap-invalid-crasher.c
new file mode 100644
index 0000000..cc081fd
--- /dev/null
+++ b/test/trap-invalid-crasher.c
@@ -0,0 +1,27 @@
+#include <stdlib.h>
+#include "utils.h"
+
+int
+main()
+{
+    pixman_image_t *dst;
+    pixman_trapezoid_t traps[1] = {
+	{
+	    32768,
+	    -2147483647,
+	    {
+		{ 0, 0 },
+		{ 0, 2147483647 }
+	    },
+	    {
+		{ 65536, 0 },
+		{ 0, 2147483647 }
+	    }
+	},
+    };
+
+    dst = pixman_image_create_bits (PIXMAN_a8, 1, 1, NULL, -1);
+
+    pixman_add_trapezoids (dst, 0, 0, ARRAY_LENGTH (traps), traps);
+    return (0);
+}