From 0845fcef9e664eb100b55ad1cc20743844deee58 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Thu, 12 Jan 2012 23:45:03 +0000 Subject: [PATCH] sna: Correct iteration counter for stippled blits ==7215== Invalid read of size 2 ==7215== at 0x51A72F3: sna_poly_fill_rect_stippled_8x8_blt (sna_accel.c:7340) ==7215== by 0x51A9CDF: sna_poly_fill_rect_stippled_blt (sna_accel.c:8163) ==7215== by 0x51A3878: sna_poly_segment (sna_accel.c:6090) ==7215== by 0x216C02: damagePolySegment (damage.c:1096) ==7215== by 0x13F6E8: ProcPolySegment (dispatch.c:1771) ==7215== by 0x1436B4: Dispatch (dispatch.c:437) ==7215== by 0x131279: main (main.c:287) ==7215== Address 0x6f851e8 is 0 bytes after a block of size 32 alloc'd ==7215== at 0x4825DEC: malloc (vg_replace_malloc.c:261) ==7215== by 0x51A3558: sna_poly_segment (sna_accel.c:6049) ==7215== by 0x216C02: damagePolySegment (damage.c:1096) ==7215== by 0x13F6E8: ProcPolySegment (dispatch.c:1771) ==7215== by 0x1436B4: Dispatch (dispatch.c:437) ==7215== by 0x131279: main (main.c:287) An example being the stippled outline in gimp, the yellow marching ants, would randomly walk over the entire image. Signed-off-by: Chris Wilson --- src/sna/sna_accel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sna/sna_accel.c b/src/sna/sna_accel.c index 30da328c..3c2ac441 100644 --- a/src/sna/sna_accel.c +++ b/src/sna/sna_accel.c @@ -7369,7 +7369,7 @@ sna_poly_fill_rect_stippled_8x8_blt(DrawablePtr drawable, b[8] = pat[1]; sna->kgem.nbatch += 9; } - } while (n--); + } while (--n); } else { const BoxRec * const clip_start = RegionBoxptr(&clip); const BoxRec * const clip_end = clip_start + clip.data->numRects;