When fbBresSolid draws a line, it can happen that after the last pixel, the Bresenham error term overflows, and fbBresSolid paints another pixel before adjusting the error term.
However, if this happens on the last pixel (len=0), this extra pixel might overshoot the boundary, and, in rare cases, lead to a segfault. Fix this issue by adjusting for the Bresenham error term before drawing the main pixel, not after. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=24274 Signed-off-by: Simon Schubert <2...@0x2c.org> --- fb/fbseg.c | 36 ++++++++++++++++++------------------ 1 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/fb/fbseg.c b/fb/fbseg.c
index 5a458fe..c05331c 100644
--- a/fb/fbseg.c
+++ b/fb/fbseg.c
@@ -73,6 +73,13 @@ fbBresSolid (DrawablePtr pDrawable,
bits = 0;
while (len--)
{
+ if (e >= 0)
+ {
+ WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
+ bits = 0;
+ dst += dstStride;
+ e += e3;
+ }
bits |= mask;
mask = fbBresShiftMask(mask,signdx,dstBpp);
if (!mask)
@@ -83,13 +90,6 @@ fbBresSolid (DrawablePtr pDrawable,
mask = mask0;
}
e += e1;
- if (e >= 0)
- {
- WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
- bits = 0;
- dst += dstStride;
- e += e3;
- }
}
if (bits)
WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
@@ -98,19 +98,19 @@ fbBresSolid (DrawablePtr pDrawable,
{
while (len--)
{
- WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, mask));
+ if (e >= 0)
+ {
+ e += e3;
+ mask = fbBresShiftMask(mask,signdx,dstBpp);
+ if (!mask)
+ {
+ dst += signdx;
+ mask = mask0;
+ }
+ }
+ WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, mask));
dst += dstStride;
e += e1;
- if (e >= 0)
- {
- e += e3;
- mask = fbBresShiftMask(mask,signdx,dstBpp);
- if (!mask)
- {
- dst += signdx;
- mask = mask0;
- }
- }
}
}
signature.asc
Description: OpenPGP digital signature
_______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
