In _cairo_xlib_surface_add_glyph() -> case CAIRO_FORMAT_ARGB32:
2442: unsigned int c = glyph_surface->stride * glyph_surface->height;
2453: while ((c -= 4) >= 0)
c is very unlikely to go below 0, thus it goes to (unsigned int)-4 which is
quite a big number causing memory corruption.
Changing the unsigned int to signed int makes it work instead of crash.
this is fixed already. I'll push 1.2.6 out next week.
*** This bug has been marked as a duplicate of 7953 ***