From: Po Lu <luangruo@yahoo.com>
Date: Sat, 4 Mar 2023 11:54:21 +0000 (+0800)
Subject: Fix out of bound write after poly of single pixel span
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=46c8e7617a11b25a4c07f1cc59921dcad559e8e9;p=emacs.git

Fix out of bound write after poly of single pixel span

* src/sfnt.c (sfnt_fill_span): Specifically handle spans that
span a single pixel by computing the coverage in the center.
---

diff --git a/src/sfnt.c b/src/sfnt.c
index 329e09261bd..f5b84afa0a5 100644
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -4080,9 +4080,22 @@ sfnt_fill_span (struct sfnt_raster *raster, sfnt_fixed y,
   start = raster->cells + row * raster->stride;
   start += left >> SFNT_POLY_SHIFT;
 
-  w = 0;
+  /* If left and right actually lie in the same pixel, just fill with
+     the coverage of both and return.  */
+
+  if ((left & ~SFNT_POLY_MASK) == (right & ~SFNT_POLY_MASK))
+    {
+      w = coverage[right - left];
+      a = *start + w;
+
+      *start = sfnt_saturate_short (a);
+      return;
+    }
+
+  /* Compute coverage for first pixel, then poly.  The code from here
+     onwards assumes that left and right are on two different
+     pixels.  */
 
-  /* Compute coverage for first pixel, then poly.  */
   if (left & SFNT_POLY_MASK)
     {
       /* Compute the coverage for the first pixel, and move left past
@@ -4097,7 +4110,6 @@ sfnt_fill_span (struct sfnt_raster *raster, sfnt_fixed y,
 
       /* Now move left past.  */
       left = end;
-
       *start++ = sfnt_saturate_short (a);
     }
 
@@ -4113,8 +4125,8 @@ sfnt_fill_span (struct sfnt_raster *raster, sfnt_fixed y,
       left += SFNT_POLY_SAMPLE;
     }
 
-  /* Fill right pixel if necessary (because it has a fractional
-     part.)  */
+  /* Fill rightmost pixel with any partial coverage.  */
+
   if (right & SFNT_POLY_MASK)
     {
       w = coverage[right - left];