nilix/openbox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix memory corruption when y2sz is 0.

Browse source 
data is incremented one too many times when y2sz is zero, leading to
memory corruption.

[ also changed % 2 to & 1 -- Mikael ]
This commit is contained in:
Reilly Grant 2009-07-04 15:06:55 +02:00 committed by Mikael Magnusson
parent 3cd4db67aa
commit 18a2bc6da5
1 changed files with 8 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
render/gradient.c
View file

@ -507,11 +507,11 @@ static void gradient_splitvertical(RrAppearance *a, gint w, gint h)
*/
if (h <= 5) {
y1sz = MAX(h/2, 0);
y2sz = (h < 3 ? 0 : h % 2);
y2sz = (h < 3) ? 0 : (h & 1);
y3sz = MAX(h/2, 1);
}
else {
y1sz = h/2 - (1 - (h % 2));
y1sz = h/2 - (1 - (h & 1));
y2sz = 1;
y3sz = h/2;
}
@ -534,13 +534,15 @@ static void gradient_splitvertical(RrAppearance *a, gint w, gint h)
}
*data = COLOR(y1);
data += w;
for (y2 = y2sz-1; y2 > 0; --y2) {
if (y2sz) {
for (y2 = y2sz-1; y2 > 0; --y2) {
*data = COLOR(y2);
data += w;
NEXT(y2);
}
*data = COLOR(y2);
data += w;
NEXT(y2);
}
*data = COLOR(y2);
data += w;
for (y3 = y3sz-1; y3 > 0; --y3) {
*data = COLOR(y3);
data += w;