The fill_xrgb32_lerp_opaque_spans() allows remote attackers to cause a denial of service
(out-of-bounds read and application crash) via a negative span length.
Change-Id: Iebce4b5d6fd9ea6435cc88875f314fb60d81bddd
do {
int len = spans[1].x - spans[0].x;
uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*yy + spans[0].x*4);
- while (len--)
+ while (len-- > 0)
*d++ = r->u.fill.pixel;
yy++;
} while (--hh);
do {
int len = spans[1].x - spans[0].x;
uint32_t *d = (uint32_t *)(r->u.fill.data + r->u.fill.stride*yy + spans[0].x*4);
- while (len--) {
+ while (len-- > 0) {
*d = lerp8x4 (r->u.fill.pixel, a, *d);
d++;
}