From f3873cac4add6865cff6ca01abd65a31dc1b33ad Mon Sep 17 00:00:00 2001 From: Dana Jansens Date: Sun, 11 Aug 2013 16:04:50 -0400 Subject: [PATCH] Fix a write out of bounds in splitvertical gradients (Bug 3612) If the gradient has height 1, then y1sz is 0. We don't want to use the first color and move the data pointer, since this will move it past the end of the array. --- obrender/gradient.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/obrender/gradient.c b/obrender/gradient.c index 60a0a555..7f2f1f8f 100644 --- a/obrender/gradient.c +++ b/obrender/gradient.c @@ -527,13 +527,15 @@ static void gradient_splitvertical(RrAppearance *a, gint w, gint h) /* find the color for the first pixel of each row first */ data = sf->pixel_data; - for (y1 = y1sz-1; y1 > 0; --y1) { + if (y1sz) { + for (y1 = y1sz-1; y1 > 0; --y1) { + *data = COLOR(y1); + data += w; + NEXT(y1); + } *data = COLOR(y1); data += w; - NEXT(y1); } - *data = COLOR(y1); - data += w; if (y2sz) { for (y2 = y2sz-1; y2 > 0; --y2) { *data = COLOR(y2);