Image compositor can pass invalid coordinates to pixman_fill()
@federico
Submitted by Federico Quintero Assigned to Chris Wilson @ickle
Description
See https://bugzilla.gnome.org/show_bug.cgi?id=744391 for where this comes from.
Summary: librsvg gets an SVG generated through fuzz-testing, and passes big coordinates that give problems to Cairo. In turn, Cairo ends up passing invalid coordinates to pixman_fill(), which does an out-of-bounds write.
Pixman doesn't validate the arguments passed to pixman_fill().
Given that Cairo's problems with big coordinates and fixed-point overflow are Hard To Fix(tm), we can make Cairo at least responsible for not passing invalid coordinates to pixman's low-level machinery.
The attached patch takes care of the call to pixman_fill() from this particular code path. I haven't gotten reports of other invalid calls to pixman_fill() from Cairo/librsvg.