From 5c82d91a5e15d29b1489dcb413b24ee7fdf59934 Mon Sep 17 00:00:00 2001
From: Bryce Harrington <bryce@osg.samsung.com>
Date: Wed, 3 Dec 2014 19:28:15 -0800
Subject: image: Fix crash in _fill_xrgb32_lerp_opaque_spans

If a span length is negative don't go out of bounds processing the fill
data.

Patch thanks to Ilya Sakhnenko <ilia.softway@gmail.com> on mailing list.

Signed-off-by: Bryce Harrington <bryce@osg.samsung.com>
---
 src/cairo-image-compositor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/cairo-image-compositor.c')

diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
index 6ff0f09c0..48072f81b 100644
--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
@@ -2242,10 +2242,10 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
 				     spans[0].x, y, len, 1, r->u.fill.pixel);
 		    } else {
 			uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*y + spans[0].x*4);
-			while (len--)
+			while (len-- > 0)
 			    *d++ = r->u.fill.pixel;
 		    }
-		} else while (len--) {
+		} else while (len-- > 0) {
 		    *d = lerp8x4 (r->u.fill.pixel, a, *d);
 		    d++;
 		}
-- 
cgit v1.2.3