Fix some signed overflow bugs

In the macros for the PDF blend modes, two comp1_t variables are
multiplied together and then used as if the result were a
comp4_t. When comp1_t is a uint8_t, this is fine because they are
promoted to int, and the product of two uint8_ts fits in an
int. However, when comp1_t is uint16, the product does not necessarily
fit in an int, so casts are necessary.

Fix for bug 43906, reported by Siarhei Siamashka.

diff --git a/pixman/pixman-combine.c.template b/pixman/pixman-combine.c.template
index c17bcea..cd008d9 100644 (file)
--- a/pixman/pixman-combine.c.template
+++ b/pixman/pixman-combine.c.template
@@ -522,7 +522,7 @@ combine_multiply_ca (pixman_implementation_t *imp,
            UNcx4_MUL_UNc_ADD_UNcx4_MUL_UNc (result, isa, s, ida);      \
                                                                        \
            *(dest + i) = result +                                      \
-               (DIV_ONE_UNc (sa * da) << A_SHIFT) +                    \
+               (DIV_ONE_UNc (sa * (comp4_t)da) << A_SHIFT) +           \
                (blend_ ## name (RED_c (d), da, RED_c (s), sa) << R_SHIFT) + \
                (blend_ ## name (GREEN_c (d), da, GREEN_c (s), sa) << G_SHIFT) + \
                (blend_ ## name (BLUE_c (d), da, BLUE_c (s), sa));      \
@@ -552,7 +552,7 @@ combine_multiply_ca (pixman_implementation_t *imp,
            UNcx4_MUL_UNcx4_ADD_UNcx4_MUL_UNc (result, ~m, s, ida);     \
                                                                        \
            result +=                                                   \
-               (DIV_ONE_UNc (ALPHA_c (m) * da) << A_SHIFT) +           \
+               (DIV_ONE_UNc (ALPHA_c (m) * (comp4_t)da) << A_SHIFT) +  \
                (blend_ ## name (RED_c (d), da, RED_c (s), RED_c (m)) << R_SHIFT) + \
                (blend_ ## name (GREEN_c (d), da, GREEN_c (s), GREEN_c (m)) << G_SHIFT) + \
                (blend_ ## name (BLUE_c (d), da, BLUE_c (s), BLUE_c (m))); \
@@ -926,7 +926,7 @@ PDF_SEPARABLE_BLEND_MODE (exclusion)
            blend_ ## name (c, dc, da, sc, sa);                         \
                                                                        \
            *(dest + i) = result +                                      \
-               (DIV_ONE_UNc (sa * da) << A_SHIFT) +                    \
+               (DIV_ONE_UNc (sa * (comp4_t)da) << A_SHIFT) +           \
                (DIV_ONE_UNc (c[0]) << R_SHIFT) +                       \
                (DIV_ONE_UNc (c[1]) << G_SHIFT) +                       \
                (DIV_ONE_UNc (c[2]));                                   \

diff --git a/test/blitters-test.c b/test/blitters-test.c
index 55b6c73..63162e6 100644 (file)
--- a/test/blitters-test.c
+++ b/test/blitters-test.c
@@ -424,6 +424,6 @@ main (int argc, const char *argv[])
     }
 
     return fuzzer_test_main("blitters", 2000000,
-                           0x29137844,
+                           0x3EDA4108,
                            test_composite, argc, argv);
 }