Bug 53384 - Crash or memory corruption: _cairo_damage_add_boxes generates broken single list
Summary: Crash or memory corruption: _cairo_damage_add_boxes generates broken single list
Status: RESOLVED FIXED
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: 1.12.2
Hardware: All All
: medium critical
Assignee: Carl Worth
QA Contact: cairo-bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-11 18:21 UTC by fmot.fics
Modified: 2012-08-11 18:30 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description fmot.fics 2012-08-11 18:21:40 UTC 
It is necessary to add the following line to _cairo_damage_add_boxes function:

--- a/src/cairo-damage.c
+++ b/src/cairo-damage.c
@@ -128,6 +128,7 @@ _cairo_damage_add_boxes(cairo_damage_t *damage,
     chunk->count = count;

     damage->tail->next = chunk;
+    damage->tail = chunk;
     damage->remain = size - count;

     memcpy (damage->tail->base, boxes + n,

Otherwise the "tail" of the single list is not updated but the "remain" field is. That leads to either crash or memory corruption (which I encountered).
Comment 1 Chris Wilson 2012-08-11 18:30:46 UTC 
Thanks!

commit d647d4f7db1f9b65f5d7f64574b1989b830aaa7c
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Sat Aug 11 19:28:21 2012 +0100

    damage: Update tail pointer after allocating new chunk
    
    Reported and based on a patch by fmot.fics
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=53384

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.