diff options
| author | Søren Sandmann Pedersen <ssp@redhat.com> | 2012-09-15 03:13:09 -0400 |
|---|---|---|
| committer | Søren Sandmann Pedersen <ssp@redhat.com> | 2012-09-24 18:43:31 -0400 |
| commit | de60e2e0e3eb6084f8f14b63f25b3cbfb012943f (patch) | |
| tree | 1f66560b6fafe361b0b4300fbb98def51efade4c | |
| parent | aa311a4641b79eac39fe602b75d7bee3de9b1dce (diff) | |
Fix for infinite-loop test
The infinite loop detected by "affine-test 212944861" is caused by an
overflow in this expression:
max_x = pixman_fixed_to_int (vx + (width - 1) * unit_x) + 1;
where (width - 1) * unit_x doesn't fit in a signed int. This causes
max_x to be too small so that this:
src_width = 0
while (src_width < REPEAT_NORMAL_MIN_WIDTH && src_width <= max_x)
src_width += src_image->bits.width;
results in src_width being 0. Later on when src_width is used for
repeat calculations, we get the infinite loop.
By casting unit_x to int64_t, the expression no longer overflows and
affine-test 212944861 and infinite-loop no longer loop forever.
| -rw-r--r-- | pixman/pixman-inlines.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pixman/pixman-inlines.h b/pixman/pixman-inlines.h index 5517de5..3a3c658 100644 --- a/pixman/pixman-inlines.h +++ b/pixman/pixman-inlines.h | |||
| @@ -859,7 +859,7 @@ fast_composite_scaled_bilinear ## scale_func_name (pixman_implementation_t *imp, | |||
| 859 | { \ | 859 | { \ |
| 860 | vx = v.vector[0]; \ | 860 | vx = v.vector[0]; \ |
| 861 | repeat (PIXMAN_REPEAT_NORMAL, &vx, pixman_int_to_fixed(src_image->bits.width)); \ | 861 | repeat (PIXMAN_REPEAT_NORMAL, &vx, pixman_int_to_fixed(src_image->bits.width)); \ |
| 862 | max_x = pixman_fixed_to_int (vx + (width - 1) * unit_x) + 1; \ | 862 | max_x = pixman_fixed_to_int (vx + (width - 1) * (int64_t)unit_x) + 1; \ |
| 863 | \ | 863 | \ |
| 864 | if (src_image->bits.width < REPEAT_NORMAL_MIN_WIDTH) \ | 864 | if (src_image->bits.width < REPEAT_NORMAL_MIN_WIDTH) \ |
| 865 | { \ | 865 | { \ |