Bjørn Lie
26167ecc73
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/cairo?expand=0&rev=169
34 lines
1.4 KiB
Diff
34 lines
1.4 KiB
Diff
From b57526185d60b3e36bb0f6684cc0ae9ac2294972 Mon Sep 17 00:00:00 2001
|
|
From: William Bader <william@newspapersystems.com>
|
|
Date: Mon, 28 Apr 2025 05:01:45 +0200
|
|
Subject: [PATCH] Fix a NULL access in active_edges_to_traps(). The
|
|
bentley-ottmann tessellation implementation uses an x of INT32_MAX as a
|
|
sentinel. If a rectangle has an x of INT32_MAX, active_edges_to_traps() can
|
|
read past the end of the edge list when building trapezoids. This patch
|
|
reduces an x of INT32_MAX to INT32_MAX-1. This avoids the crash in
|
|
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1579 This is an
|
|
alternative to the patch in
|
|
https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/620 that adds a
|
|
check for NULL pointers when traversing the edge list.
|
|
|
|
---
|
|
src/cairo-bentley-ottmann-rectangular.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c
|
|
index 65f95d797..be01e04f7 100644
|
|
--- a/src/cairo-bentley-ottmann-rectangular.c
|
|
+++ b/src/cairo-bentley-ottmann-rectangular.c
|
|
@@ -847,6 +847,8 @@ _cairo_bentley_ottmann_tessellate_boxes (const cairo_boxes_t *in,
|
|
rectangles[j].left.x = box[i].p2.x;
|
|
rectangles[j].left.dir = -1;
|
|
}
|
|
+ if (rectangles[j].left.x == INT32_MAX) rectangles[j].left.x = INT32_MAX-1;
|
|
+ if (rectangles[j].right.x == INT32_MAX) rectangles[j].right.x = INT32_MAX-1;
|
|
|
|
rectangles[j].left.right = NULL;
|
|
rectangles[j].right.right = NULL;
|
|
--
|
|
GitLab
|
|
|