From: Søren Sandmann Pedersen <ssp@redhat.com>
Date: Sun, 18 Dec 2011 13:16:45 +0000 (-0500)
Subject: Fix some signed overflow bugs
X-Git-Tag: pixman-0.25.2~44
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4f3fe9c9096b2261217c2d4beb7d5eb8e578ed76;p=platform%2Fupstream%2Fpixman.git

Fix some signed overflow bugs

In the macros for the PDF blend modes, two comp1_t variables are
multiplied together and then used as if the result were a
comp4_t. When comp1_t is a uint8_t, this is fine because they are
promoted to int, and the product of two uint8_ts fits in an
int. However, when comp1_t is uint16, the product does not necessarily
fit in an int, so casts are necessary.

Fix for bug 43906, reported by Siarhei Siamashka.
---

diff --git a/pixman/pixman-combine.c.template b/pixman/pixman-combine.c.template
index c17bcea..cd008d9 100644
--- a/pixman/pixman-combine.c.template
+++ b/pixman/pixman-combine.c.template
@@ -522,7 +522,7 @@ combine_multiply_ca (pixman_implementation_t *imp,
 	    UNcx4_MUL_UNc_ADD_UNcx4_MUL_UNc (result, isa, s, ida);	\
 	    								\
 	    *(dest + i) = result +					\
-		(DIV_ONE_UNc (sa * da) << A_SHIFT) +			\
+		(DIV_ONE_UNc (sa * (comp4_t)da) << A_SHIFT) +		\
 		(blend_ ## name (RED_c (d), da, RED_c (s), sa) << R_SHIFT) + \
 		(blend_ ## name (GREEN_c (d), da, GREEN_c (s), sa) << G_SHIFT) + \
 		(blend_ ## name (BLUE_c (d), da, BLUE_c (s), sa));	\
@@ -552,7 +552,7 @@ combine_multiply_ca (pixman_implementation_t *imp,
 	    UNcx4_MUL_UNcx4_ADD_UNcx4_MUL_UNc (result, ~m, s, ida);     \
             								\
 	    result +=							\
-	        (DIV_ONE_UNc (ALPHA_c (m) * da) << A_SHIFT) +		\
+	        (DIV_ONE_UNc (ALPHA_c (m) * (comp4_t)da) << A_SHIFT) +	\
 	        (blend_ ## name (RED_c (d), da, RED_c (s), RED_c (m)) << R_SHIFT) + \
 	        (blend_ ## name (GREEN_c (d), da, GREEN_c (s), GREEN_c (m)) << G_SHIFT) + \
 	        (blend_ ## name (BLUE_c (d), da, BLUE_c (s), BLUE_c (m))); \
@@ -926,7 +926,7 @@ PDF_SEPARABLE_BLEND_MODE (exclusion)
 	    blend_ ## name (c, dc, da, sc, sa);				\
             								\
 	    *(dest + i) = result +					\
-		(DIV_ONE_UNc (sa * da) << A_SHIFT) +			\
+		(DIV_ONE_UNc (sa * (comp4_t)da) << A_SHIFT) +		\
 		(DIV_ONE_UNc (c[0]) << R_SHIFT) +			\
 		(DIV_ONE_UNc (c[1]) << G_SHIFT) +			\
 		(DIV_ONE_UNc (c[2]));					\
diff --git a/test/blitters-test.c b/test/blitters-test.c
index 55b6c73..63162e6 100644
--- a/test/blitters-test.c
+++ b/test/blitters-test.c
@@ -424,6 +424,6 @@ main (int argc, const char *argv[])
     }
 
     return fuzzer_test_main("blitters", 2000000,
-			    0x29137844,
+			    0x3EDA4108,
 			    test_composite, argc, argv);
 }