From c26a7de9707e26d0552b0fedcd4bf2e0ba6542b2 Mon Sep 17 00:00:00 2001 From: Carl Worth Date: Tue, 8 Apr 2008 01:54:27 -0700 Subject: Prevent potentially infinite wandering through memeory in _cairo_hull_prev_valid It is possible for _cairo_hull_prev_valid to be called just once right before the calling loop is going to terminate. In this case we really don't want to walk off the beginning of the array and start wandering. Thanks to Jonathan Watt for noticing this problem: https://bugzilla.mozilla.org/show_bug.cgi?id=306649#c21 --- src/cairo-hull.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/cairo-hull.c b/src/cairo-hull.c index 73d95c554..ccdb34d45 100644 --- a/src/cairo-hull.c +++ b/src/cairo-hull.c @@ -125,8 +125,13 @@ _cairo_hull_vertex_compare (const void *av, const void *bv) static int _cairo_hull_prev_valid (cairo_hull_t *hull, int num_hull, int index) { + /* hull[0] is always valid, and we never need to wraparound, (if + * we are passed an index of 0 here, then the calling loop is just + * about to terminate). */ + if (index == 0) + return 0; + do { - /* hull[0] is always valid, so don't test and wraparound */ index--; } while (hull[index].discard); -- cgit v1.2.3