| author | Søren Sandmann Pedersen <ssp@redhat.com> | 2012-09-15 07:13:09 (GMT) |
|---|---|---|
| committer | Søren Sandmann Pedersen <ssp@redhat.com> | 2012-09-24 22:43:31 (GMT) |
| commit | de60e2e0e3eb6084f8f14b63f25b3cbfb012943f (patch) (side-by-side diff) | |
| tree | 1f66560b6fafe361b0b4300fbb98def51efade4c | |
| parent | aa311a4641b79eac39fe602b75d7bee3de9b1dce (diff) | |
| download | pixman-de60e2e0e3eb6084f8f14b63f25b3cbfb012943f.zip pixman-de60e2e0e3eb6084f8f14b63f25b3cbfb012943f.tar.gz | |
Fix for infinite-loop test
The infinite loop detected by "affine-test 212944861" is caused by an
overflow in this expression:
max_x = pixman_fixed_to_int (vx + (width - 1) * unit_x) + 1;
where (width - 1) * unit_x doesn't fit in a signed int. This causes
max_x to be too small so that this:
src_width = 0
while (src_width < REPEAT_NORMAL_MIN_WIDTH && src_width <= max_x)
src_width += src_image->bits.width;
results in src_width being 0. Later on when src_width is used for
repeat calculations, we get the infinite loop.
By casting unit_x to int64_t, the expression no longer overflows and
affine-test 212944861 and infinite-loop no longer loop forever.
| -rw-r--r-- | pixman/pixman-inlines.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pixman/pixman-inlines.h b/pixman/pixman-inlines.h index 5517de5..3a3c658 100644 --- a/pixman/pixman-inlines.h +++ b/pixman/pixman-inlines.h @@ -859,7 +859,7 @@ fast_composite_scaled_bilinear ## scale_func_name (pixman_implementation_t *imp, { \ vx = v.vector[0]; \ repeat (PIXMAN_REPEAT_NORMAL, &vx, pixman_int_to_fixed(src_image->bits.width)); \ - max_x = pixman_fixed_to_int (vx + (width - 1) * unit_x) + 1; \ + max_x = pixman_fixed_to_int (vx + (width - 1) * (int64_t)unit_x) + 1; \ \ if (src_image->bits.width < REPEAT_NORMAL_MIN_WIDTH) \ { \ |