bo-rectangular: Prevent invalid read during edge traversal

Benjamin Otte tracked down an invalid read triggered by WebKit. The cause is that we attempt to dereference the list_head as an edge as we failed to check that during the skipping of colinear edges we advanced to the end, under the false assumption that there would always be a closing edge in a rectangle. This assumption is broken if the tail rectangles having colinear right edges.
author: Chris Wilson <chris@chris-wilson.co.uk> 2010-02-22 14:20:34 +0000
committer: Chris Wilson <chris@chris-wilson.co.uk> 2010-02-22 14:33:34 +0000
commit: 9f46bad301eff967dc0790fc271d872f8a45cedb (patch)
tree: c0edae90b18596688a478c072d5c1a451db3712f
parent: 75db4f0ece194b7aa0455509785a300784778ec4 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c
index ce4e01f0..736762e0 100644
--- a/src/cairo-bentley-ottmann-rectangular.c
+++ b/src/cairo-bentley-ottmann-rectangular.c
@@ -422,6 +422,9 @@ active_edges_to_traps (sweep_line_t	*sweep,
 
 		winding += right->dir;
 		if (winding == 0) {
+		    if (right->next == &sweep->tail)
+			break;
+
 		    /* skip co-linear edges */
 		    if (likely (right->x != right->next->x))
 			break;
@@ -450,6 +453,9 @@ active_edges_to_traps (sweep_line_t	*sweep,
 				  right, top, do_traps, container);
 		}
 
+		if (pos == &sweep->tail)
+		    break;
+
 		/* skip co-linear edges */
 		if (right->x != pos->x)
 		    break;
author	Chris Wilson <chris@chris-wilson.co.uk>	2010-02-22 14:20:34 +0000
committer	Chris Wilson <chris@chris-wilson.co.uk>	2010-02-22 14:33:34 +0000
commit	9f46bad301eff967dc0790fc271d872f8a45cedb (patch)
tree	c0edae90b18596688a478c072d5c1a451db3712f
parent	75db4f0ece194b7aa0455509785a300784778ec4 (diff)