Author: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Subject: exa: only draw valid trapezoids
Patch-Mainline: To be upstreamed
References: bnc#853846 CVE-2013-6424
Signed-off-by: Michal Srb <msrb@suse.com>

diff --git a/exa/exa_render.c b/exa/exa_render.c
index 172e2b5..807eeba 100644
--- a/exa/exa_render.c
+++ b/exa/exa_render.c
@@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc, PicturePtr pDst,
 
         exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
         for (; ntrap; ntrap--, traps++)
-            (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
+            if (xTrapezoidValid(traps))
+                (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
         exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
 
         xRel = bounds.x1 + xSrc - xDst;
diff --git a/render/picture.h b/render/picture.h
index c85353a..fcd6401 100644
--- a/render/picture.h
+++ b/render/picture.h
@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed;
 /* whether 't' is a well defined not obviously empty trapezoid */
 #define xTrapezoidValid(t)  ((t)->left.p1.y != (t)->left.p2.y && \
 			     (t)->right.p1.y != (t)->right.p2.y && \
-			     (int) ((t)->bottom - (t)->top) > 0)
+			     ((t)->bottom > (t)->top))
 
 /*
  * Standard NTSC luminance conversions: