projects / platform / core / graphics / cairo.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ef01c6a)
[CVE-2016-3190] Fix CVE issue 04/275304/1 accepted/tizen_7.0_unified accepted/tizen_7.0_unified_hotfix accepted/tizen_8.0_unified accepted/tizen_unified tizen_7.0_hotfix tizen_8.0 accepted/tizen/7.0/unified/20221110.060803 accepted/tizen/7.0/unified/hotfix/20221116.105307 accepted/tizen/8.0/unified/20231005.093331 accepted/tizen/unified/20220728.131651 submit/tizen/20220520.082748 submit/tizen/20220727.012456 submit/tizen/20221109.014223 tizen_7.0_m2_release tizen_8.0_m2_release
authortscholb <scholb.kim@samsung.com>
Fri, 20 May 2022 08:01:21 +0000 (17:01 +0900)
committertscholb <scholb.kim@samsung.com>
Fri, 20 May 2022 08:01:21 +0000 (17:01 +0900)
The fill_xrgb32_lerp_opaque_spans() allows remote attackers to cause a denial of service
(out-of-bounds read and application crash) via a negative span length.

Change-Id: Iebce4b5d6fd9ea6435cc88875f314fb60d81bddd

src/cairo-image-compositor.c patch | blob | history

diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
index e343d27..1822584 100644 (file)
--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
@@ -2370,7 +2370,7 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
                        do {
                            int len = spans[1].x - spans[0].x;
                            uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*yy + spans[0].x*4);
-                           while (len--)
+                           while (len-- > 0)
                                *d++ = r->u.fill.pixel;
                            yy++;
                        } while (--hh);
@@ -2380,7 +2380,7 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
                    do {
                        int len = spans[1].x - spans[0].x;
                        uint32_t *d = (uint32_t *)(r->u.fill.data + r->u.fill.stride*yy + spans[0].x*4);
-                       while (len--) {
+                       while (len-- > 0) {
                            *d = lerp8x4 (r->u.fill.pixel, a, *d);
                            d++;
                        }
Domain: Graphics System / Rendering Engine;