Submitted By: Ken Moffat Date: 2015-02-05 Initial Package Version: 1.14.0 Upstream Status: Applied Origin: See below Description: Consolidated fixes for crashes, particularly relevant to evince and inkscape. (1.) from Bryce Harrington, upstream commit 5c82d91a5e15d29b1489dcb413b24ee7fdf59934 (2.) from Massimo Valentini, upstream commit 2de69581c28bf115852037ca41eba13cb7335976 (3,4.) from Adam Jackson, upstream commits a03f2ff72054c9530f98738aac729354a3f56102 and 3cf862f6d973755cd9824c2224fbe0a623c47ff1. diff -Naur a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c --- a/src/cairo-image-compositor.c 2014-10-14 02:46:33.000000000 +0100 +++ b/src/cairo-image-compositor.c 2015-02-05 21:07:48.066068516 +0000 @@ -2242,10 +2242,10 @@ spans[0].x, y, len, 1, r->u.fill.pixel); } else { uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*y + spans[0].x*4); - while (len--) + while (len-- > 0) *d++ = r->u.fill.pixel; } - } else while (len--) { + } else while (len-- > 0) { *d = lerp8x4 (r->u.fill.pixel, a, *d); d++; } diff -Naur a/src/cairo-tor-scan-converter.c b/src/cairo-tor-scan-converter.c --- a/src/cairo-tor-scan-converter.c 2014-10-14 02:46:33.000000000 +0100 +++ b/src/cairo-tor-scan-converter.c 2015-02-05 21:07:28.265583699 +0000 @@ -1167,8 +1167,8 @@ if (e->dy) { struct quorem x = e->x; - x.quo += e->dxdy_full.quo - e->dxdy.quo/2; - x.rem += e->dxdy_full.rem - e->dxdy.rem/2; + x.quo += e->dxdy_full.quo; + x.rem += e->dxdy_full.rem; if (x.rem < 0) { x.quo--; x.rem += e->dy; diff -Naur a/src/cairo-xcb-surface-render.c b/src/cairo-xcb-surface-render.c --- a/src/cairo-xcb-surface-render.c 2014-10-14 02:46:33.000000000 +0100 +++ b/src/cairo-xcb-surface-render.c 2015-02-05 21:07:43.257950790 +0000 @@ -4467,6 +4467,9 @@ const uint8_t *d; uint8_t *new, *n; + if (c == 0) + break; + new = malloc (c); if (unlikely (new == NULL)) { status = _cairo_error (CAIRO_STATUS_NO_MEMORY); @@ -4495,6 +4498,9 @@ const uint32_t *d; uint32_t *new, *n; + if (c == 0) + break; + new = malloc (4 * c); if (unlikely (new == NULL)) { status = _cairo_error (CAIRO_STATUS_NO_MEMORY); diff -Naur a/src/cairo-xlib-render-compositor.c b/src/cairo-xlib-render-compositor.c --- a/src/cairo-xlib-render-compositor.c 2013-11-19 22:04:57.000000000 +0000 +++ b/src/cairo-xlib-render-compositor.c 2015-02-05 21:07:38.857843053 +0000 @@ -1287,6 +1287,9 @@ unsigned char *d; unsigned char *new, *n; + if (c == 0) + break; + new = malloc (c); if (!new) { status = _cairo_error (CAIRO_STATUS_NO_MEMORY); @@ -1312,6 +1315,9 @@ const uint32_t *d; uint32_t *new, *n; + if (c == 0) + break; + new = malloc (4 * c); if (unlikely (new == NULL)) { status = _cairo_error (CAIRO_STATUS_NO_MEMORY);