Bug 53384

Summary: Crash or memory corruption: _cairo_damage_add_boxes generates broken single list
Product: cairo Reporter: fmot.fics
Component: generalAssignee: Carl Worth <cworth>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: critical    
Priority: medium    
Version: 1.12.2   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description fmot.fics 2012-08-11 18:21:40 UTC 
It is necessary to add the following line to _cairo_damage_add_boxes function:

--- a/src/cairo-damage.c
+++ b/src/cairo-damage.c
@@ -128,6 +128,7 @@ _cairo_damage_add_boxes(cairo_damage_t *damage,
     chunk->count = count;

     damage->tail->next = chunk;
+    damage->tail = chunk;
     damage->remain = size - count;

     memcpy (damage->tail->base, boxes + n,

Otherwise the "tail" of the single list is not updated but the "remain" field is. That leads to either crash or memory corruption (which I encountered).
Comment 1 Chris Wilson 2012-08-11 18:30:46 UTC 
Thanks!

commit d647d4f7db1f9b65f5d7f64574b1989b830aaa7c
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sat Aug 11 19:28:21 2012 +0100

    damage: Update tail pointer after allocating new chunk
    
    Reported and based on a patch by fmot.fics
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=53384

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.