[CVE-2016-3190] Fix CVE issuetizen_7.0_m2_releasesubmit/tizen/20221109.014223submit/tizen/20220727.012456submit/tizen/20220520.082748accepted/tizen/unified/20220728.131651accepted/tizen/7.0/unified/hotfix/20221116.105307accepted/tizen/7.0/unified/20221110.060803tizen_7.0_hotfixaccepted/tizen_unifiedaccepted/tizen_7.0_unified_hotfixaccepted/tizen_7.0_unified

The fill_xrgb32_lerp_opaque_spans() allows remote attackers to cause a denial of service
(out-of-bounds read and application crash) via a negative span length.

Change-Id: Iebce4b5d6fd9ea6435cc88875f314fb60d81bddd

1 files changed, 2 insertions, 2 deletions

diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
index e343d275a..1822584d9 100644
--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
@@ -2370,7 +2370,7 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
 			do {
 			    int len = spans[1].x - spans[0].x;
 			    uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*yy + spans[0].x*4);
-			    while (len--)
+			    while (len-- > 0)
 				*d++ = r->u.fill.pixel;
 			    yy++;
 			} while (--hh);
@@ -2380,7 +2380,7 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
 		    do {
 			int len = spans[1].x - spans[0].x;
 			uint32_t *d = (uint32_t *)(r->u.fill.data + r->u.fill.stride*yy + spans[0].x*4);
-			while (len--) {
+			while (len-- > 0) {
 			    *d = lerp8x4 (r->u.fill.pixel, a, *d);
 			    d++;
 			}