Reject trapezoids where top (botttom) is above (below) the edges

When a trapezoid has a top/bottom that is above/below the left/right
edges, degenerate trapezoids become possible. For example the edge
could be very short and close to horizontal. If the bottom edge is far
below the bottom point of such a short edge, the result is that the
lower right corner of the trapezoid will be extremely far to the left.

This kind of trapezoid causes overflows in the rasterization code, so
change pixman_trapezoid_valid() to reject them.

diff --git a/pixman/pixman.h b/pixman/pixman.h
index 18d951312b09e7c7e98a5e12e771746167233476..20ff496953411cc7974898a0bed30c0f25e5e770 100644 (file)
--- a/pixman/pixman.h
+++ b/pixman/pixman.h
@@ -908,10 +908,14 @@ struct pixman_triangle
 };
 
 /* whether 't' is a well defined not obviously empty trapezoid */
-#define pixman_trapezoid_valid(t)                                 \
-    ((t)->left.p1.y != (t)->left.p2.y &&                          \
-     (t)->right.p1.y != (t)->right.p2.y &&                        \
-     (int) ((t)->bottom - (t)->top) > 0)
+#define pixman_trapezoid_valid(t)                                      \
+    ((t)->left.p1.y != (t)->left.p2.y &&                               \
+     (t)->right.p1.y != (t)->right.p2.y &&                             \
+     (int) ((t)->bottom - (t)->top) > 0 &&                             \
+     (t)->bottom <= (t)->left.p2.y &&                                  \
+     (t)->bottom <= (t)->right.p2.y &&                                 \
+     (t)->top >= (t)->left.p1.y &&                                     \
+     (t)->top >= (t)->right.p1.y)
 
 struct pixman_span_fix
 {

diff --git a/test/composite-traps-test.c b/test/composite-traps-test.c
index ff03b50d9b04f77df8dac40ae28298b7b33cce7a..de518d82063ade674985d2ce0986cd6c57c4541b 100644 (file)
--- a/test/composite-traps-test.c
+++ b/test/composite-traps-test.c
@@ -251,6 +251,6 @@ test_composite (int      testnum,
 int
 main (int argc, const char *argv[])
 {
-    return fuzzer_test_main("composite traps", 40000, 0xE3112106,
+    return fuzzer_test_main("composite traps", 40000, 0x4346479C,
                            test_composite, argc, argv);
 }