1 |
tetromino 15/03/05 18:22:53 |
2 |
|
3 |
Added: cairo-1.14.0-xcb-0-sized-glyph.patch |
4 |
cairo-1.14.0-xlib-0-sized-glyph.patch |
5 |
cairo-1.14.0-tor-scan-converter-do_fullrow-intersection.patch |
6 |
cairo-1.14.0-CFF-unaligned-access.patch |
7 |
cairo-1.14.0-image-negative-span-length.patch |
8 |
Log: |
9 |
Add upstream patches to fix several crashes. Should fix bug #541326 (heap corruption in darktable and evince), thanks to sergeev917 and Andrey Volkov. |
10 |
|
11 |
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x18E5B6F2D8D5EC8D) |
12 |
|
13 |
Revision Changes Path |
14 |
1.1 x11-libs/cairo/files/cairo-1.14.0-xcb-0-sized-glyph.patch |
15 |
|
16 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-xcb-0-sized-glyph.patch?rev=1.1&view=markup |
17 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-xcb-0-sized-glyph.patch?rev=1.1&content-type=text/plain |
18 |
|
19 |
Index: cairo-1.14.0-xcb-0-sized-glyph.patch |
20 |
=================================================================== |
21 |
From a03f2ff72054c9530f98738aac729354a3f56102 Mon Sep 17 00:00:00 2001 |
22 |
From: Adam Jackson <ajax@××××××.com> |
23 |
Date: Fri, 31 Oct 2014 13:21:15 -0400 |
24 |
Subject: [PATCH 2/2] xcb: Don't crash when swapping a 0-sized glyph |
25 |
|
26 |
malloc(0) needn't return NULL, and on glibc, doesn't. Then we encounter |
27 |
a loop of the form do { ... } while (--c), which doesn't do quite what |
28 |
you were hoping for when c is initially 0. |
29 |
|
30 |
Since there's nothing to swap in this case, just bomb out. |
31 |
|
32 |
Signed-off-by: Adam Jackson <ajax@××××××.com> |
33 |
--- |
34 |
src/cairo-xcb-surface-render.c | 6 ++++++ |
35 |
1 file changed, 6 insertions(+) |
36 |
|
37 |
diff --git a/src/cairo-xcb-surface-render.c b/src/cairo-xcb-surface-render.c |
38 |
index 21a89cc..1a086a2 100644 |
39 |
--- a/src/cairo-xcb-surface-render.c |
40 |
+++ b/src/cairo-xcb-surface-render.c |
41 |
@@ -4467,6 +4467,9 @@ _cairo_xcb_surface_add_glyph (cairo_xcb_connection_t *connection, |
42 |
const uint8_t *d; |
43 |
uint8_t *new, *n; |
44 |
|
45 |
+ if (c == 0) |
46 |
+ break; |
47 |
+ |
48 |
new = malloc (c); |
49 |
if (unlikely (new == NULL)) { |
50 |
status = _cairo_error (CAIRO_STATUS_NO_MEMORY); |
51 |
@@ -4495,6 +4498,9 @@ _cairo_xcb_surface_add_glyph (cairo_xcb_connection_t *connection, |
52 |
const uint32_t *d; |
53 |
uint32_t *new, *n; |
54 |
|
55 |
+ if (c == 0) |
56 |
+ break; |
57 |
+ |
58 |
new = malloc (4 * c); |
59 |
if (unlikely (new == NULL)) { |
60 |
status = _cairo_error (CAIRO_STATUS_NO_MEMORY); |
61 |
-- |
62 |
2.3.1 |
63 |
|
64 |
|
65 |
|
66 |
|
67 |
1.1 x11-libs/cairo/files/cairo-1.14.0-xlib-0-sized-glyph.patch |
68 |
|
69 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-xlib-0-sized-glyph.patch?rev=1.1&view=markup |
70 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-xlib-0-sized-glyph.patch?rev=1.1&content-type=text/plain |
71 |
|
72 |
Index: cairo-1.14.0-xlib-0-sized-glyph.patch |
73 |
=================================================================== |
74 |
From 3cf862f6d973755cd9824c2224fbe0a623c47ff1 Mon Sep 17 00:00:00 2001 |
75 |
From: Adam Jackson <ajax@××××××.com> |
76 |
Date: Fri, 31 Oct 2014 13:21:14 -0400 |
77 |
Subject: [PATCH 1/2] xlib: Don't crash when swapping a 0-sized glyph |
78 |
|
79 |
malloc(0) needn't return NULL, and on glibc, doesn't. Then we encounter |
80 |
a loop of the form do { ... } while (--c), which doesn't do quite what |
81 |
you were hoping for when c is initially 0. |
82 |
|
83 |
Since there's nothing to swap in this case, just bomb out. |
84 |
|
85 |
Signed-off-by: Adam Jackson <ajax@××××××.com> |
86 |
--- |
87 |
src/cairo-xlib-render-compositor.c | 6 ++++++ |
88 |
1 file changed, 6 insertions(+) |
89 |
|
90 |
diff --git a/src/cairo-xlib-render-compositor.c b/src/cairo-xlib-render-compositor.c |
91 |
index e90df09..8a1ec7b 100644 |
92 |
--- a/src/cairo-xlib-render-compositor.c |
93 |
+++ b/src/cairo-xlib-render-compositor.c |
94 |
@@ -1287,6 +1287,9 @@ _cairo_xlib_surface_add_glyph (cairo_xlib_display_t *display, |
95 |
unsigned char *d; |
96 |
unsigned char *new, *n; |
97 |
|
98 |
+ if (c == 0) |
99 |
+ break; |
100 |
+ |
101 |
new = malloc (c); |
102 |
if (!new) { |
103 |
status = _cairo_error (CAIRO_STATUS_NO_MEMORY); |
104 |
@@ -1312,6 +1315,9 @@ _cairo_xlib_surface_add_glyph (cairo_xlib_display_t *display, |
105 |
const uint32_t *d; |
106 |
uint32_t *new, *n; |
107 |
|
108 |
+ if (c == 0) |
109 |
+ break; |
110 |
+ |
111 |
new = malloc (4 * c); |
112 |
if (unlikely (new == NULL)) { |
113 |
status = _cairo_error (CAIRO_STATUS_NO_MEMORY); |
114 |
-- |
115 |
2.3.1 |
116 |
|
117 |
|
118 |
|
119 |
|
120 |
1.1 x11-libs/cairo/files/cairo-1.14.0-tor-scan-converter-do_fullrow-intersection.patch |
121 |
|
122 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-tor-scan-converter-do_fullrow-intersection.patch?rev=1.1&view=markup |
123 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-tor-scan-converter-do_fullrow-intersection.patch?rev=1.1&content-type=text/plain |
124 |
|
125 |
Index: cairo-1.14.0-tor-scan-converter-do_fullrow-intersection.patch |
126 |
=================================================================== |
127 |
From 2de69581c28bf115852037ca41eba13cb7335976 Mon Sep 17 00:00:00 2001 |
128 |
From: Massimo Valentini <mvalentini@×××××××××.org> |
129 |
Date: Sun, 19 Oct 2014 09:19:10 +0200 |
130 |
Subject: [PATCH] tor-scan-converter: can't do_fullrow when intersection in row |
131 |
+ 0.5subrow |
132 |
|
133 |
the active edges list must be left sorted at the next possible use |
134 |
and since full_row does not deal with intersections it is not usable |
135 |
when there is an intersection in the top half of the next row first |
136 |
subrow |
137 |
|
138 |
Reported-and-tested-by: Matthew Leach |
139 |
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85151 |
140 |
Reviewed-by: Chris Wilson <chris@×××××××××××××××.uk> |
141 |
--- |
142 |
src/cairo-tor-scan-converter.c | 4 ++-- |
143 |
1 file changed, 2 insertions(+), 2 deletions(-) |
144 |
|
145 |
diff --git a/src/cairo-tor-scan-converter.c b/src/cairo-tor-scan-converter.c |
146 |
index 4adcafb..14922d0 100644 |
147 |
--- a/src/cairo-tor-scan-converter.c |
148 |
+++ b/src/cairo-tor-scan-converter.c |
149 |
@@ -1167,8 +1167,8 @@ can_do_full_row (struct active_list *active) |
150 |
|
151 |
if (e->dy) { |
152 |
struct quorem x = e->x; |
153 |
- x.quo += e->dxdy_full.quo - e->dxdy.quo/2; |
154 |
- x.rem += e->dxdy_full.rem - e->dxdy.rem/2; |
155 |
+ x.quo += e->dxdy_full.quo; |
156 |
+ x.rem += e->dxdy_full.rem; |
157 |
if (x.rem < 0) { |
158 |
x.quo--; |
159 |
x.rem += e->dy; |
160 |
-- |
161 |
2.3.1 |
162 |
|
163 |
|
164 |
|
165 |
|
166 |
1.1 x11-libs/cairo/files/cairo-1.14.0-CFF-unaligned-access.patch |
167 |
|
168 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-CFF-unaligned-access.patch?rev=1.1&view=markup |
169 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-CFF-unaligned-access.patch?rev=1.1&content-type=text/plain |
170 |
|
171 |
Index: cairo-1.14.0-CFF-unaligned-access.patch |
172 |
=================================================================== |
173 |
From 99a35dd273f3deb4ae54310f1ed1746bfd9fae70 Mon Sep 17 00:00:00 2001 |
174 |
From: Adrian Johnson <ajohnson@×××××××.com> |
175 |
Date: Sun, 19 Oct 2014 11:34:34 +1030 |
176 |
Subject: [PATCH] CFF: Fix unaligned access |
177 |
|
178 |
Debian bug 712836 reported bus errors in cff subsetting when |
179 |
running on a sparc. This is because unlike truetype, all data |
180 |
in the compact font format is not aligned. |
181 |
|
182 |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712836 |
183 |
--- |
184 |
src/cairo-cff-subset.c | 35 +++++++++++++++++++---------------- |
185 |
src/cairo-image-info.c | 32 +++++++++++++------------------- |
186 |
src/cairoint.h | 26 ++++++++++++++++++++++++++ |
187 |
3 files changed, 58 insertions(+), 35 deletions(-) |
188 |
|
189 |
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c |
190 |
index 4660d6e..f15deb5 100644 |
191 |
--- a/src/cairo-cff-subset.c |
192 |
+++ b/src/cairo-cff-subset.c |
193 |
@@ -433,7 +433,7 @@ cff_index_read (cairo_array_t *index, unsigned char **ptr, unsigned char *end_pt |
194 |
p = *ptr; |
195 |
if (p + 2 > end_ptr) |
196 |
return CAIRO_INT_STATUS_UNSUPPORTED; |
197 |
- count = be16_to_cpu( *((uint16_t *)p) ); |
198 |
+ count = get_unaligned_be16 (p); |
199 |
p += 2; |
200 |
if (count > 0) { |
201 |
offset_size = *p++; |
202 |
@@ -984,14 +984,14 @@ cairo_cff_font_read_fdselect (cairo_cff_font_t *font, unsigned char *p) |
203 |
for (i = 0; i < font->num_glyphs; i++) |
204 |
font->fdselect[i] = *p++; |
205 |
} else if (type == 3) { |
206 |
- num_ranges = be16_to_cpu( *((uint16_t *)p) ); |
207 |
+ num_ranges = get_unaligned_be16 (p); |
208 |
p += 2; |
209 |
for (i = 0; i < num_ranges; i++) |
210 |
{ |
211 |
- first = be16_to_cpu( *((uint16_t *)p) ); |
212 |
+ first = get_unaligned_be16 (p); |
213 |
p += 2; |
214 |
fd = *p++; |
215 |
- last = be16_to_cpu( *((uint16_t *)p) ); |
216 |
+ last = get_unaligned_be16 (p); |
217 |
for (j = first; j < last; j++) |
218 |
font->fdselect[j] = fd; |
219 |
} |
220 |
@@ -1722,7 +1722,7 @@ cairo_cff_font_get_gid_for_cid (cairo_cff_font_t *font, unsigned long cid, unsi |
221 |
p = font->charset + 1; |
222 |
g = 1; |
223 |
while (g <= (unsigned)font->num_glyphs && p < font->data_end) { |
224 |
- c = be16_to_cpu( *((uint16_t *)p) ); |
225 |
+ c = get_unaligned_be16 (p); |
226 |
if (c == cid) { |
227 |
*gid = g; |
228 |
return CAIRO_STATUS_SUCCESS; |
229 |
@@ -1737,7 +1737,7 @@ cairo_cff_font_get_gid_for_cid (cairo_cff_font_t *font, unsigned long cid, unsi |
230 |
first_gid = 1; |
231 |
p = font->charset + 1; |
232 |
while (first_gid <= (unsigned)font->num_glyphs && p + 2 < font->data_end) { |
233 |
- first_cid = be16_to_cpu( *((uint16_t *)p) ); |
234 |
+ first_cid = get_unaligned_be16 (p); |
235 |
num_left = p[2]; |
236 |
if (cid >= first_cid && cid <= first_cid + num_left) { |
237 |
*gid = first_gid + cid - first_cid; |
238 |
@@ -1753,8 +1753,8 @@ cairo_cff_font_get_gid_for_cid (cairo_cff_font_t *font, unsigned long cid, unsi |
239 |
first_gid = 1; |
240 |
p = font->charset + 1; |
241 |
while (first_gid <= (unsigned)font->num_glyphs && p + 3 < font->data_end) { |
242 |
- first_cid = be16_to_cpu( *((uint16_t *)p) ); |
243 |
- num_left = be16_to_cpu( *((uint16_t *)(p+2)) ); |
244 |
+ first_cid = get_unaligned_be16 (p); |
245 |
+ num_left = get_unaligned_be16 (p+2); |
246 |
if (cid >= first_cid && cid <= first_cid + num_left) { |
247 |
*gid = first_gid + cid - first_cid; |
248 |
return CAIRO_STATUS_SUCCESS; |
249 |
@@ -2328,7 +2328,7 @@ cairo_cff_font_write_cid_fontdict (cairo_cff_font_t *font) |
250 |
unsigned int i; |
251 |
cairo_int_status_t status; |
252 |
unsigned int offset_array; |
253 |
- uint32_t *offset_array_ptr; |
254 |
+ unsigned char *offset_array_ptr; |
255 |
int offset_base; |
256 |
uint16_t count; |
257 |
uint8_t offset_size = 4; |
258 |
@@ -2349,7 +2349,7 @@ cairo_cff_font_write_cid_fontdict (cairo_cff_font_t *font) |
259 |
if (unlikely (status)) |
260 |
return status; |
261 |
offset_base = _cairo_array_num_elements (&font->output) - 1; |
262 |
- *offset_array_ptr = cpu_to_be32(1); |
263 |
+ put_unaligned_be32(1, offset_array_ptr); |
264 |
offset_array += sizeof(uint32_t); |
265 |
for (i = 0; i < font->num_subset_fontdicts; i++) { |
266 |
status = cff_dict_write (font->fd_dict[font->fd_subset_map[i]], |
267 |
@@ -2357,8 +2357,9 @@ cairo_cff_font_write_cid_fontdict (cairo_cff_font_t *font) |
268 |
if (unlikely (status)) |
269 |
return status; |
270 |
|
271 |
- offset_array_ptr = (uint32_t *) _cairo_array_index (&font->output, offset_array); |
272 |
- *offset_array_ptr = cpu_to_be32(_cairo_array_num_elements (&font->output) - offset_base); |
273 |
+ offset_array_ptr = _cairo_array_index (&font->output, offset_array); |
274 |
+ put_unaligned_be32 (_cairo_array_num_elements (&font->output) - offset_base, |
275 |
+ offset_array_ptr); |
276 |
offset_array += sizeof(uint32_t); |
277 |
} |
278 |
|
279 |
@@ -2609,7 +2610,7 @@ cairo_cff_font_create_set_widths (cairo_cff_font_t *font) |
280 |
unsigned int i; |
281 |
tt_hhea_t hhea; |
282 |
int num_hmetrics; |
283 |
- unsigned char buf[10]; |
284 |
+ uint16_t short_entry; |
285 |
int glyph_index; |
286 |
cairo_int_status_t status; |
287 |
|
288 |
@@ -2629,7 +2630,8 @@ cairo_cff_font_create_set_widths (cairo_cff_font_t *font) |
289 |
status = font->backend->load_truetype_table (font->scaled_font_subset->scaled_font, |
290 |
TT_TAG_hmtx, |
291 |
glyph_index * long_entry_size, |
292 |
- buf, &short_entry_size); |
293 |
+ (unsigned char *) &short_entry, |
294 |
+ &short_entry_size); |
295 |
if (unlikely (status)) |
296 |
return status; |
297 |
} |
298 |
@@ -2638,11 +2640,12 @@ cairo_cff_font_create_set_widths (cairo_cff_font_t *font) |
299 |
status = font->backend->load_truetype_table (font->scaled_font_subset->scaled_font, |
300 |
TT_TAG_hmtx, |
301 |
(num_hmetrics - 1) * long_entry_size, |
302 |
- buf, &short_entry_size); |
303 |
+ (unsigned char *) &short_entry, |
304 |
+ &short_entry_size); |
305 |
if (unlikely (status)) |
306 |
return status; |
307 |
} |
308 |
- font->widths[i] = be16_to_cpu (*((int16_t*)buf)); |
309 |
+ font->widths[i] = be16_to_cpu (short_entry); |
310 |
} |
311 |
|
312 |
return CAIRO_STATUS_SUCCESS; |
313 |
diff --git a/src/cairo-image-info.c b/src/cairo-image-info.c |
314 |
index 64053a2..26e7ae5 100644 |
315 |
--- a/src/cairo-image-info.c |
316 |
+++ b/src/cairo-image-info.c |
317 |
@@ -39,12 +39,6 @@ |
318 |
#include "cairo-error-private.h" |
319 |
#include "cairo-image-info-private.h" |
320 |
|
321 |
-static uint32_t |
322 |
-_get_be32 (const unsigned char *p) |
323 |
-{ |
324 |
- return p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; |
325 |
-} |
326 |
- |
327 |
/* JPEG (image/jpeg) |
328 |
* |
329 |
* http://www.w3.org/Graphics/JPEG/itu-t81.pdf |
330 |
@@ -170,7 +164,7 @@ static const unsigned char _jpx_signature[] = { |
331 |
static const unsigned char * |
332 |
_jpx_next_box (const unsigned char *p) |
333 |
{ |
334 |
- return p + _get_be32 (p); |
335 |
+ return p + get_unaligned_be32 (p); |
336 |
} |
337 |
|
338 |
static const unsigned char * |
339 |
@@ -185,8 +179,8 @@ _jpx_match_box (const unsigned char *p, const unsigned char *end, uint32_t type) |
340 |
uint32_t length; |
341 |
|
342 |
if (p + 8 < end) { |
343 |
- length = _get_be32 (p); |
344 |
- if (_get_be32 (p + 4) == type && p + length < end) |
345 |
+ length = get_unaligned_be32 (p); |
346 |
+ if (get_unaligned_be32 (p + 4) == type && p + length < end) |
347 |
return TRUE; |
348 |
} |
349 |
|
350 |
@@ -208,8 +202,8 @@ _jpx_find_box (const unsigned char *p, const unsigned char *end, uint32_t type) |
351 |
static void |
352 |
_jpx_extract_info (const unsigned char *p, cairo_image_info_t *info) |
353 |
{ |
354 |
- info->height = _get_be32 (p); |
355 |
- info->width = _get_be32 (p + 4); |
356 |
+ info->height = get_unaligned_be32 (p); |
357 |
+ info->width = get_unaligned_be32 (p + 4); |
358 |
info->num_components = (p[8] << 8) + p[9]; |
359 |
info->bits_per_component = p[10]; |
360 |
} |
361 |
@@ -281,13 +275,13 @@ _cairo_image_info_get_png_info (cairo_image_info_t *info, |
362 |
return CAIRO_INT_STATUS_UNSUPPORTED; |
363 |
|
364 |
p += 4; |
365 |
- if (_get_be32 (p) != PNG_IHDR) |
366 |
+ if (get_unaligned_be32 (p) != PNG_IHDR) |
367 |
return CAIRO_INT_STATUS_UNSUPPORTED; |
368 |
|
369 |
p += 4; |
370 |
- info->width = _get_be32 (p); |
371 |
+ info->width = get_unaligned_be32 (p); |
372 |
p += 4; |
373 |
- info->height = _get_be32 (p); |
374 |
+ info->height = get_unaligned_be32 (p); |
375 |
|
376 |
return CAIRO_STATUS_SUCCESS; |
377 |
} |
378 |
@@ -347,14 +341,14 @@ _jbig2_get_next_segment (const unsigned char *p, |
379 |
if (p + 6 >= end) |
380 |
return NULL; |
381 |
|
382 |
- seg_num = _get_be32 (p); |
383 |
+ seg_num = get_unaligned_be32 (p); |
384 |
*type = p[4] & 0x3f; |
385 |
big_page_size = (p[4] & 0x40) != 0; |
386 |
p += 5; |
387 |
|
388 |
num_segs = p[0] >> 5; |
389 |
if (num_segs == 7) { |
390 |
- num_segs = _get_be32 (p) & 0x1fffffff; |
391 |
+ num_segs = get_unaligned_be32 (p) & 0x1fffffff; |
392 |
ref_seg_bytes = 4 + ((num_segs + 1)/8); |
393 |
} else { |
394 |
ref_seg_bytes = 1; |
395 |
@@ -373,7 +367,7 @@ _jbig2_get_next_segment (const unsigned char *p, |
396 |
if (p + 4 >= end) |
397 |
return NULL; |
398 |
|
399 |
- *data_len = _get_be32 (p); |
400 |
+ *data_len = get_unaligned_be32 (p); |
401 |
p += 4; |
402 |
*data = p; |
403 |
|
404 |
@@ -397,8 +391,8 @@ _jbig2_get_next_segment (const unsigned char *p, |
405 |
static void |
406 |
_jbig2_extract_info (cairo_image_info_t *info, const unsigned char *p) |
407 |
{ |
408 |
- info->width = _get_be32 (p); |
409 |
- info->height = _get_be32 (p + 4); |
410 |
+ info->width = get_unaligned_be32 (p); |
411 |
+ info->height = get_unaligned_be32 (p + 4); |
412 |
info->num_components = 1; |
413 |
info->bits_per_component = 1; |
414 |
} |
415 |
diff --git a/src/cairoint.h b/src/cairoint.h |
416 |
index b4e8ac8..07ced42 100644 |
417 |
--- a/src/cairoint.h |
418 |
+++ b/src/cairoint.h |
419 |
@@ -240,6 +240,32 @@ be32_to_cpu(uint32_t v) |
420 |
|
421 |
#endif |
422 |
|
423 |
+/* Unaligned big endian access |
424 |
+ */ |
425 |
+ |
426 |
+static inline uint16_t get_unaligned_be16 (const unsigned char *p) |
427 |
+{ |
428 |
+ return p[0] << 8 | p[1]; |
429 |
+} |
430 |
+ |
431 |
+static inline uint32_t get_unaligned_be32 (const unsigned char *p) |
432 |
+{ |
433 |
+ return p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; |
434 |
+} |
435 |
+ |
436 |
+static inline void put_unaligned_be16 (uint16_t v, unsigned char *p) |
437 |
+{ |
438 |
+ p[0] = (v >> 8) & 0xff; |
439 |
+ p[1] = v & 0xff; |
440 |
+} |
441 |
+ |
442 |
+static inline void put_unaligned_be32 (uint32_t v, unsigned char *p) |
443 |
+{ |
444 |
+ p[0] = (v >> 24) & 0xff; |
445 |
+ p[1] = (v >> 16) & 0xff; |
446 |
+ p[2] = (v >> 8) & 0xff; |
447 |
+ p[3] = v & 0xff; |
448 |
+} |
449 |
|
450 |
/* The glibc versions of ispace() and isdigit() are slow in UTF-8 locales. |
451 |
*/ |
452 |
-- |
453 |
2.3.1 |
454 |
|
455 |
|
456 |
|
457 |
|
458 |
1.1 x11-libs/cairo/files/cairo-1.14.0-image-negative-span-length.patch |
459 |
|
460 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-image-negative-span-length.patch?rev=1.1&view=markup |
461 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/cairo/files/cairo-1.14.0-image-negative-span-length.patch?rev=1.1&content-type=text/plain |
462 |
|
463 |
Index: cairo-1.14.0-image-negative-span-length.patch |
464 |
=================================================================== |
465 |
From 5c82d91a5e15d29b1489dcb413b24ee7fdf59934 Mon Sep 17 00:00:00 2001 |
466 |
From: Bryce Harrington <bryce@×××××××××××.com> |
467 |
Date: Wed, 3 Dec 2014 19:28:15 -0800 |
468 |
Subject: [PATCH] image: Fix crash in _fill_xrgb32_lerp_opaque_spans |
469 |
|
470 |
If a span length is negative don't go out of bounds processing the fill |
471 |
data. |
472 |
|
473 |
Patch thanks to Ilya Sakhnenko <ilia.softway@×××××.com> on mailing list. |
474 |
|
475 |
Signed-off-by: Bryce Harrington <bryce@×××××××××××.com> |
476 |
--- |
477 |
src/cairo-image-compositor.c | 4 ++-- |
478 |
1 file changed, 2 insertions(+), 2 deletions(-) |
479 |
|
480 |
diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c |
481 |
index 6ff0f09..48072f8 100644 |
482 |
--- a/src/cairo-image-compositor.c |
483 |
+++ b/src/cairo-image-compositor.c |
484 |
@@ -2242,10 +2242,10 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h, |
485 |
spans[0].x, y, len, 1, r->u.fill.pixel); |
486 |
} else { |
487 |
uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*y + spans[0].x*4); |
488 |
- while (len--) |
489 |
+ while (len-- > 0) |
490 |
*d++ = r->u.fill.pixel; |
491 |
} |
492 |
- } else while (len--) { |
493 |
+ } else while (len-- > 0) { |
494 |
*d = lerp8x4 (r->u.fill.pixel, a, *d); |
495 |
d++; |
496 |
} |
497 |
-- |
498 |
2.3.1 |