diff options
| author | Uli Schlachter <psychon@znc.in> | 2013-10-03 17:53:34 +0200 |
|---|---|---|
| committer | Uli Schlachter <psychon@znc.in> | 2013-10-03 17:53:34 +0200 |
| commit | 49366c5e9e7d5afd0daef4c53a41472e020145eb (patch) | |
| tree | 80d0c35f2de851c006ddcae4a3d88c360a322897 | |
| parent | 217bed84dda43f018e59a4d9a229f63095e1aa06 (diff) | |
| download | cairo-49366c5e9e7d5afd0daef4c53a41472e020145eb.tar.gz | |
cairo-xlib: Fix out of bounds array access in format cache
The cairo-xlib backend maintains a mapping form cairo_format_t to xrender
formats. This is done via an array. The size of this array is
CAIRO_FORMAT_RGB16_565 + 1 which evaluates to 5.
However, CAIRO_FORMAT_RGB30 has the numeric value 5, too. Thus, using this value
as an index into the array would actually read the following force_precision
field from cairo_xlib_display_t.
This could be triggered by passing CAIRO_FORMAT_RGB30 to
_cairo_xlib_display_get_xrender_format(). From a quick look, I didn't find any
code which would allow doing this, but neither did I find anything allowing
CAIRO_FORMAT_RGB16_565, so it's better to handle this correctly than assert()ing
for this to never happen.
Signed-off-by: Uli Schlachter <psychon@znc.in>
| -rw-r--r-- | src/cairo-xlib-private.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cairo-xlib-private.h b/src/cairo-xlib-private.h index 4fd725f93..822c85bfc 100644 --- a/src/cairo-xlib-private.h +++ b/src/cairo-xlib-private.h @@ -81,7 +81,7 @@ struct _cairo_xlib_display { int render_major; int render_minor; - XRenderPictFormat *cached_xrender_formats[CAIRO_FORMAT_RGB16_565 + 1]; + XRenderPictFormat *cached_xrender_formats[CAIRO_FORMAT_RGB30 + 1]; int force_precision; |