From a966cd04c16ad0c34b0f17e9021a4f3532575ca4 Mon Sep 17 00:00:00 2001
From: Andrea Canciani <ranma42@gmail.com>
Date: Tue, 12 Oct 2010 15:38:20 +0200
Subject: [PATCH] Fix an overflow in the new radial gradient code

huge-radial in the cairo test suite pointed out an undocumented
overflow in the radial gradient code.
By casting to pixman_fixed_48_16_t before doing the operations,
the overflow can be avoided.
---
 pixman/pixman-radial-gradient.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pixman/pixman-radial-gradient.c b/pixman/pixman-radial-gradient.c
index ed073ab..f0dcc96 100644
--- a/pixman/pixman-radial-gradient.c
+++ b/pixman/pixman-radial-gradient.c
@@ -290,10 +290,11 @@ radial_gradient_get_scanline_32 (pixman_image_t *image,
 	db = dot (unit.vector[0], unit.vector[1], 0,
 		  radial->delta.x, radial->delta.y, 0);
 
-	c = dot (v.vector[0], v.vector[1], -radial->c1.radius,
+	c = dot (v.vector[0], v.vector[1],
+		 -((pixman_fixed_48_16_t) radial->c1.radius),
 		 v.vector[0], v.vector[1], radial->c1.radius);
-	dc = dot (2 * v.vector[0] + unit.vector[0],
-		  2 * v.vector[1] + unit.vector[1],
+	dc = dot (2 * (pixman_fixed_48_16_t) v.vector[0] + unit.vector[0],
+		  2 * (pixman_fixed_48_16_t) v.vector[1] + unit.vector[1],
 		  0,
 		  unit.vector[0], unit.vector[1], 0);
 	ddc = 2 * dot (unit.vector[0], unit.vector[1], 0,
-- 
2.7.4