diff options
| author | Marc-André Lureau <marcandre.lureau@gmail.com> | 2014-08-06 18:34:56 +0200 |
|---|---|---|
| committer | Marc-André Lureau <marcandre.lureau@gmail.com> | 2014-08-07 11:38:02 +0200 |
| commit | 1898f3949cf75422aa1fedba40c429b28d8d6b67 (patch) | |
| tree | c2a756dc9d47542945f8fea245c787b2f4113be9 | |
| parent | 3c25192ee90f843a2f84ff99d119b1cb45979bac (diff) | |
| download | spice-1898f3949cf75422aa1fedba40c429b28d8d6b67.tar.gz spice-1898f3949cf75422aa1fedba40c429b28d8d6b67.tar.xz spice-1898f3949cf75422aa1fedba40c429b28d8d6b67.zip | |
Fix crash when clearing surface memory
The beginning of the surface data needs to be computed correctly if the
stride is negative, otherwise, it should point already to the beginning
of the surface data. This bug seems to exists since 4a208b (0.5.2)
https://bugzilla.redhat.com/show_bug.cgi?id=1029646
| -rw-r--r-- | server/red_worker.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/server/red_worker.c b/server/red_worker.c index 6bdad93e..35a1a04f 100644 --- a/server/red_worker.c +++ b/server/red_worker.c @@ -9470,7 +9470,11 @@ static inline void red_create_surface(RedWorker *worker, uint32_t surface_id, ui surface->context.stride = stride; surface->context.line_0 = line_0; if (!data_is_valid) { - memset((char *)line_0 + (int32_t)(stride * (height - 1)), 0, height*abs(stride)); + char *data = line_0; + if (stride < 0) { + data -= abs(stride) * (height - 1); + } + memset(data, 0, height*abs(stride)); } surface->create.info = NULL; surface->destroy.info = NULL; |