Ubuntu
pixman package

  1. Bug #1197921
  2. Comment #14

Comment 14 for bug 1197921

Revision history for this message
In , Ritesh Khadgaray (khadgaray) wrote :

Created attachment 86883
proposed patch

Program received signal SIGSEGV, Segmentation fault.
0x00000033834488f6 in rasterize_edges_8 (image=<optimized out>,
    image=<optimized out>, image=<optimized out>, b=<optimized out>,
    t=<optimized out>, r=<optimized out>, l=<optimized out>)
    at pixman-edge.c:210
210 WRITE (image, ap + lxi,
(gdb) bt
#0 0x00007f895bdd38f6 in rasterize_edges_8 (image=<optimized out>, image=<optimized out>, image=<optimized out>, b=<optimized out>,
    t=<optimized out>, r=<optimized out>, l=<optimized out>) at pixman-edge.c:210
#1 pixman_rasterize_edges_no_accessors (b=<optimized out>, t=<optimized out>, r=<optimized out>, l=<optimized out>, image=<optimized out>)
    at pixman-edge.c:359
#2 pixman_rasterize_edges (image=0xffffffff, image@entry=0x1cc9bc0, l=0x7fff8dcfd410, r=0x7fff8dcfd440, t=1055852681, b=2147481463)
    at pixman-edge.c:382
#3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0)
    at pixman-trap.c:386
#4 0x00007f895aff6623 in uxa_trapezoids (op=<optimized out>, src=0x1cd7b10, dst=0x1cd5950, maskFormat=0x16a6eb8, xSrc=<optimized out>,
    ySrc=<optimized out>, ntrap=<optimized out>, traps=0x1bf02a8) at uxa-render.c:1816
#5 0x00000000005251bf in ProcRenderTrapezoids (client=0x1be9030) at render.c:759
#6 0x000000000043a137 in Dispatch () at dispatch.c:432
#7 0x00000000004286ca in main (argc=12, argv=0x7fff8dcfd788, envp=<optimized out>) at main.c:298
(gdb) fram 3
#3 0x00007f895bdf109e in pixman_rasterize_trapezoid (image=image@entry=0x1cc9bc0, trap=trap@entry=0x1bf02a8, x_off=129, y_off=0)
    at pixman-trap.c:386
386 pixman_rasterize_edges (image, &l, &r, t, b);
(gdb) list 359
354 pixman_fixed_t y_off_fixed;
355 pixman_edge_t l, r;
356 pixman_fixed_t t, b;
357
358 return_if_fail (image->type == BITS);
359
360 _pixman_image_validate (image);
361
362 if (!pixman_trapezoid_valid (trap))
363 return;
...
380 if (b >= t)
381 {
382 /* initialize edge walkers */
383 pixman_line_fixed_edge_init (&l, bpp, t, &trap->left, x_off, y_off);
384 pixman_line_fixed_edge_init (&r, bpp, t, &trap->right, x_off, y_off);
385
386 pixman_rasterize_edges (image, &l, &r, t, b);
387 }
388 }

(gdb) p *trap
$8 = {top = 32768, bottom = -2147483648, left = {p1 = {x = -8454144, y = 32768}, p2 = {x = -8454144, y = -2147483648}}, right = {p1 = {
      x = -8388608, y = 32768}, p2 = {x = -8388608, y = -2147483648}}}

from pixman.h

1029 /* whether 't' is a well defined not obviously empty trapezoid */
1030 #define pixman_trapezoid_valid(t) \
1031 ((t)->left.p1.y != (t)->left.p2.y && \
1032 (t)->right.p1.y != (t)->right.p2.y && \
1033 (int) ((t)->bottom - (t)->top) > 0) <--- haw haw
1034

An underflow . The proposed patch checks if bottom > 0 (assuming top/bottom are non-negative integer )