I have an X server that uses cfb32 to render. We have not had a chance
to switch to fb yet. We experience intermittent crashes and have tracked it
down to cfb8line.c, it can step off the edge of a pixmap when handed certain
points. This ends up corrupting the heap and later on the server segv's
in a call to free().

This was first noticed when using the Eclipse application to examine java
source files. An unrecognized class name will be underlined with a jagged
line. Clicking and dragging from right to left across this name to select it,
the server would often crash. The "speedmine" screen saver can also uncover
this bug.

Rendering to a pixmap sized at 176x17, with the following pointlist:

    p[0].x = -2;
    p[0].y = 14;
    p[1].x = 0;
    p[1].y = 16;
    p[2].x = 2;
    p[2].y = 14;

cfb8ClippedLine() gets called with 0,16, 0,16. The local variable "len" gets
calculated to be -1. This code is executed:

    while ((len -= 2) >= 0)
    {
        body body;
    }
    if (len & 1)
        body;

The while loop does not render any pixels, but it does adjust len to be
-3. The "if" statement succeeds and "body" is executed, which adjusts
the addrp pointer to be beyond the pixmap bounds. Then the unconditional
call to RROP_SOLID on line 1495 writes to an invalid address.

Perhaps the "if" statement should also check to see if len is positive?

I suppose this bug can be seen using Xvfb:

- edit the call to RROP_SOLID on line 1495 to be:

    if ((addrp < (addr + pDrawable->width * pDrawable->height)) &&
        (addrp >= addr)) {
        RROP_SOLID (addrp);
    }  else {
        fprintf(stderr, "Would render beyond limits of drawable.\n");
    }

- recompile Xvfb

- run the attached test program, look for error message

This may be related to bug 1171.