From: Dana Jansens Date: Sun, 11 Aug 2013 20:04:50 +0000 (-0400) Subject: Fix a write out of bounds in splitvertical gradients (Bug 3612) X-Git-Url: https://git.brokenzipper.com/gitweb?a=commitdiff_plain;h=f3873cac4add6865cff6ca01abd65a31dc1b33ad;p=chaz%2Fopenbox Fix a write out of bounds in splitvertical gradients (Bug 3612) If the gradient has height 1, then y1sz is 0. We don't want to use the first color and move the data pointer, since this will move it past the end of the array. --- diff --git a/obrender/gradient.c b/obrender/gradient.c index 60a0a555..7f2f1f8f 100644 --- a/obrender/gradient.c +++ b/obrender/gradient.c @@ -527,13 +527,15 @@ static void gradient_splitvertical(RrAppearance *a, gint w, gint h) /* find the color for the first pixel of each row first */ data = sf->pixel_data; - for (y1 = y1sz-1; y1 > 0; --y1) { + if (y1sz) { + for (y1 = y1sz-1; y1 > 0; --y1) { + *data = COLOR(y1); + data += w; + NEXT(y1); + } *data = COLOR(y1); data += w; - NEXT(y1); } - *data = COLOR(y1); - data += w; if (y2sz) { for (y2 = y2sz-1; y2 > 0; --y2) { *data = COLOR(y2);