miWideDash() may call miLineProjectingCap() which calculates the hight for drawing when dx == 0 doing: topy = face->y; bottomy = face->y + dy; height = bottomy - topy; If face->dy < 0 this will result in a negative height. miFillPolyHelper() will use this height to calculate the size of memory to be allocated using this height which will cause the system to crash.
Created attachment 2069 [details] [review] Fix Discussing this with Keith he came up with this fix.
My Bug.
Egbert: Do you have a testcase (that may be a nice item for the xtest suite...) ?
> Egbert: . Do you have a testcase (that may be a nice item for the xtest suite...) ? Yes I agree. But no I don't. My testcase was a recording of a client communication which I replayed. I've committed the patch now: 2005-04-11 Egbert Eich <eich-at-freedesktop-dot-org> * programs/Xserver/mi/miwideline.c: Preventing hight for drawing from becoming negative when face->dy < 0. The height value is used in miFillPolyHelper() to calculate the size of memory to be allocated. A negative value will lead to a crash (Bugzilla #2690, Keith Packard, Egbert Eich).
Fixed.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.