summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortscholb <scholb.kim@samsung.com>2022-05-20 17:01:21 +0900
committertscholb <scholb.kim@samsung.com>2022-05-20 17:01:21 +0900
commitffa067b0f650e8732269f8b01652b928ad8e311f (patch)
tree75578fa373b06a95451083748016af9d8ac2c42d
parentef01c6ac4a970a9af2d5d583c65e5253d518472e (diff)
downloadcairo-accepted/tizen_unified.tar.gz
cairo-accepted/tizen_unified.tar.bz2
cairo-accepted/tizen_unified.zip
The fill_xrgb32_lerp_opaque_spans() allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length. Change-Id: Iebce4b5d6fd9ea6435cc88875f314fb60d81bddd
-rw-r--r--src/cairo-image-compositor.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
index e343d275a..1822584d9 100644
--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
@@ -2370,7 +2370,7 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
do {
int len = spans[1].x - spans[0].x;
uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*yy + spans[0].x*4);
- while (len--)
+ while (len-- > 0)
*d++ = r->u.fill.pixel;
yy++;
} while (--hh);
@@ -2380,7 +2380,7 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
do {
int len = spans[1].x - spans[0].x;
uint32_t *d = (uint32_t *)(r->u.fill.data + r->u.fill.stride*yy + spans[0].x*4);
- while (len--) {
+ while (len-- > 0) {
*d = lerp8x4 (r->u.fill.pixel, a, *d);
d++;
}