Bug 825721 - Clamp negative box starts and disallow negative sizes. r=jmuizelaar

gfx/2d/Makefile.in

@@ -58,6 +58,7 @@ GTEST_CPPSRCS = \
         TestBase.cpp \
         TestPoint.cpp \
         TestScaling.cpp \
+        TestCairo.cpp \
         $(NULL)
 
 ifeq (cocoa,$(MOZ_WIDGET_TOOLKIT))

gfx/2d/unittest/TestCairo.cpp

@@ -0,0 +1,53 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ */
+
+#include "cairo.h"
+
+#include "gtest/gtest.h"
+
+namespace mozilla {
+namespace layers {
+
+void TryCircle(double centerX, double centerY, double radius) {
+  printf("TestCairo:TryArcs centerY %f, radius %f\n",centerY,radius);
+
+  cairo_surface_t *surf = cairo_image_surface_create(CAIRO_FORMAT_ARGB32,8,21);
+  ASSERT_TRUE(surf != nullptr);
+
+  cairo_t *cairo = cairo_create(surf);
+  ASSERT_TRUE(cairo != nullptr);
+
+  cairo_set_antialias(cairo, CAIRO_ANTIALIAS_NONE);
+  cairo_arc(cairo, 0.0, centerY, radius, 0.0, 6.2831853071795862);
+  cairo_fill_preserve(cairo);
+
+  cairo_surface_destroy(surf);
+  cairo_destroy(cairo);
+}
+
+TEST(Cairo, Simple) {
+  TryCircle(0.0, 0.0, 14.0);
+  TryCircle(0.0, 1.0, 22.4);
+  TryCircle(1.0, 0.0, 1422.4);
+  TryCircle(1.0, 1.0, 3422.4);
+  TryCircle(-10.0, 1.0, -2);
+}
+
+TEST(Cairo, Bug825721) {
+  // OK:
+  TryCircle(0.0, 0.0, 8761126469220696064.0);
+  TryCircle(0.0, 1.0, 8761126469220696064.0);
+
+  // OK:
+  TryCircle(1.0, 0.0, 5761126469220696064.0);
+
+  // This was the crash in 825721.  Note that centerY has to be non-zero,
+  // and radius has to be not only large, but in particular range.
+  // 825721 has a band-aid fix, where the crash is inevitable, but does
+  // not fix the cause.  The same code crashes in cairo standalone.
+  TryCircle(0.0, 1.0, 5761126469220696064.0);
+}
+
+}
+}

gfx/cairo/README

@@ -233,3 +233,6 @@ pixman-enable-altivec-acceleration.patch: enable building the altivec accelerati
 ==== disable printing patch ====
 
 disable-printing.patch:  allows us to use NS_PRINTING to disable printing.
+
+==== cairo clamp bounday patch ====
+cairo-clamp-boundary.patch: don't call pixman_fill with negative starts or negative sizes

gfx/cairo/cairo-clamp-boundary.patch

@@ -0,0 +1,71 @@
+# HG changeset patch
+# User Milan Sreckovic <msreckovic@mozilla.com>
+# Date 1362078121 18000
+# Node ID e9e6d97b153d8ec17ee03bb1deef1dec24c7a17c
+# Parent  c65d59d33aa86b7e75bc420ea3beda6201e0aceb
+Bug 825721: clamp negative box starts and disallow negative sizes. r=jmuizelaar
+
+diff --git a/gfx/cairo/cairo/src/cairo-image-surface.c b/gfx/cairo/cairo/src/cairo-image-surface.c
+--- a/gfx/cairo/cairo/src/cairo-image-surface.c
++++ b/gfx/cairo/cairo/src/cairo-image-surface.c
+@@ -1846,16 +1846,20 @@ static cairo_status_t
+     if (likely (status == CAIRO_STATUS_SUCCESS)) {
+ 	for (chunk = &clear.chunks; chunk != NULL; chunk = chunk->next) {
+ 	    for (i = 0; i < chunk->count; i++) {
+ 		int x1 = _cairo_fixed_integer_part (chunk->base[i].p1.x);
+ 		int y1 = _cairo_fixed_integer_part (chunk->base[i].p1.y);
+ 		int x2 = _cairo_fixed_integer_part (chunk->base[i].p2.x);
+ 		int y2 = _cairo_fixed_integer_part (chunk->base[i].p2.y);
+ 
++		x1 = (x1 < 0 ? 0 : x1);
++		y1 = (y1 < 0 ? 0 : y1);
++		if (x2 <= x1 || y2 <= y1)
++		    continue;
+ 		pixman_fill ((uint32_t *) dst->data, dst->stride / sizeof (uint32_t),
+ 			     PIXMAN_FORMAT_BPP (dst->pixman_format),
+ 			     x1, y1, x2 - x1, y2 - y1,
+ 			     0);
+ 	    }
+ 	}
+     }
+ 
+@@ -2669,16 +2673,18 @@ static cairo_status_t
+ 	const cairo_box_t *box = chunk->base;
+ 
+ 	for (i = 0; i < chunk->count; i++) {
+ 	    int x1 = _cairo_fixed_integer_ceil (box[i].p1.x);
+ 	    int y1 = _cairo_fixed_integer_ceil (box[i].p1.y);
+ 	    int x2 = _cairo_fixed_integer_floor (box[i].p2.x);
+ 	    int y2 = _cairo_fixed_integer_floor (box[i].p2.y);
+ 
++	    x1 = (x1 < 0 ? 0 : x1);
++	    y1 = (y1 < 0 ? 0 : y1);
+ 	    if (x2 > x1 && y2 > y1) {
+ 		cairo_box_t b;
+ 
+ 		pixman_fill ((uint32_t *) dst->data,
+ 			     dst->stride / sizeof (uint32_t),
+ 			     PIXMAN_FORMAT_BPP (dst->pixman_format),
+ 			     x1, y1, x2 - x1, y2 - y1,
+ 			     pixel);
+@@ -2929,17 +2935,19 @@ static cairo_status_t
+ 	    cairo_box_t *box = chunk->base;
+ 
+ 	    for (i = 0; i < chunk->count; i++) {
+ 		int x1 = _cairo_fixed_integer_round_down (box[i].p1.x);
+ 		int y1 = _cairo_fixed_integer_round_down (box[i].p1.y);
+ 		int x2 = _cairo_fixed_integer_round_down (box[i].p2.x);
+ 		int y2 = _cairo_fixed_integer_round_down (box[i].p2.y);
+ 
+-		if (x2 == x1 || y2 == y1)
++		x1 = (x1 < 0 ? 0 : x1);
++		y1 = (y1 < 0 ? 0 : y1);
++		if (x2 <= x1 || y2 <= y1)
+ 		    continue;
+ 
+ 		pixman_fill ((uint32_t *) dst->data, dst->stride / sizeof (uint32_t),
+ 			     PIXMAN_FORMAT_BPP (dst->pixman_format),
+ 			     x1, y1, x2 - x1, y2 - y1,
+ 			     pixel);
+ 	    }
+ 	}

gfx/cairo/cairo/src/cairo-image-surface.c

@@ -1851,6 +1851,10 @@ _cairo_image_surface_fixup_unbounded_boxes (cairo_image_surface_t *dst,
 		int x2 = _cairo_fixed_integer_part (chunk->base[i].p2.x);
 		int y2 = _cairo_fixed_integer_part (chunk->base[i].p2.y);
 
+		x1 = (x1 < 0 ? 0 : x1);
+		y1 = (y1 < 0 ? 0 : y1);
+		if (x2 <= x1 || y2 <= y1)
+		    continue;
 		pixman_fill ((uint32_t *) dst->data, dst->stride / sizeof (uint32_t),
 			     PIXMAN_FORMAT_BPP (dst->pixman_format),
 			     x1, y1, x2 - x1, y2 - y1,
@@ -2674,6 +2678,8 @@ _fill_unaligned_boxes (cairo_image_surface_t *dst,
 	    int x2 = _cairo_fixed_integer_floor (box[i].p2.x);
 	    int y2 = _cairo_fixed_integer_floor (box[i].p2.y);
 
+	    x1 = (x1 < 0 ? 0 : x1);
+	    y1 = (y1 < 0 ? 0 : y1);
 	    if (x2 > x1 && y2 > y1) {
 		cairo_box_t b;
 
@@ -2934,7 +2940,9 @@ _composite_boxes (cairo_image_surface_t *dst,
 		int x2 = _cairo_fixed_integer_round_down (box[i].p2.x);
 		int y2 = _cairo_fixed_integer_round_down (box[i].p2.y);
 
-		if (x2 == x1 || y2 == y1)
+		x1 = (x1 < 0 ? 0 : x1);
+		y1 = (y1 < 0 ? 0 : y1);
+		if (x2 <= x1 || y2 <= y1)
 		    continue;
 
 		pixman_fill ((uint32_t *) dst->data, dst->stride / sizeof (uint32_t),