diff options
| author | Matt Turner <mattst88@gmail.com> | 2022-11-02 12:07:32 -0400 |
|---|---|---|
| committer | Matt Turner <mattst88@gmail.com> | 2022-11-02 13:25:48 -0400 |
| commit | a1f88e842e0216a5b4df1ab023caebe33c101395 (patch) | |
| tree | 3220eec96e7f7bbd2a76672a7269b4e05226b720 | |
| parent | c3bbb94b4c76292837a3b79322f8a678f106394f (diff) | |
| download | pixman-a1f88e842e0216a5b4df1ab023caebe33c101395.tar.gz | |
Avoid integer overflow leading to out-of-bounds write
Thanks to Maddie Stone and Google's Project Zero for discovering this
issue, providing a proof-of-concept, and a great analysis.
Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
| -rw-r--r-- | pixman/pixman-trap.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c index 91766fd..7560405 100644 --- a/pixman/pixman-trap.c +++ b/pixman/pixman-trap.c @@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y, if (f < Y_FRAC_FIRST (n)) { - if (pixman_fixed_to_int (i) == 0x8000) + if (pixman_fixed_to_int (i) == 0xffff8000) { f = 0; /* saturate */ } |