This was flagged by a coverity scan of the mozilla source code. In pixman/src/fbpict.c around line 1154, there's a switch statement: switch(!(long)dst&3) { case 1: ... case 2: ... case 3: ... } |dst| here is a pointer. The switch expression makes no sense; !anything will always evaluate to 0 or 1 so the "2" and "3" cases are unreachable. The programmer probably meant |~(long)dst&3| or |(long)dst&3|. A similar construct appears around line 1230 involving the variable |src|.
This is now fixed in 1.1.1 and 1.0.3. -Carl diff-tree 5d89faf6b37bb0367c8ba8f8637fc80bd745c888 (from 6f0d8eedc504e8af2224c502be25dc82b5df70f4) Author: Carl Worth <cworth@cworth.org> Date: Mon Mar 13 13:20:29 2006 -0800 fbCompositeTrans_0888xnx0888: Fix suspicious logical negation of pointer value. Surely, the ! instead of ~ here was just a typo. I'd feel better if I had a failing test case for this though, (time to break out gcov again). Fixes bug #6185: Strange pointer operations in fbCompositeTrans_0888xnx0888 (pixman/src/fbpict.c) https://bugs.freedesktop.org/show_bug.cgi?id=6185 diff --git a/pixman/src/fbpict.c b/pixman/src/fbpict.c index e074174..ef7f4e2 100644 --- a/pixman/src/fbpict.c +++ b/pixman/src/fbpict.c @@ -1151,7 +1151,7 @@ fbCompositeTrans_0888xnx0888(pixman_oper setupPackedReader(ws,wt,isrc,wsrc,workingSource); /* get to word aligned */ - switch(!(long)dst&3) + switch(~(long)dst&3) { case 1: readPackedSource(rs); @@ -1227,7 +1227,7 @@ fbCompositeTrans_0888xnx0888(pixman_oper srcLine += srcStride; w = width*3; /* get to word aligned */ - switch(!(long)src&3) + switch(~(long)src&3) { case 1: rd=alphamaskCombine24(*src++, *dst)>>8;
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.