1*4882a593SmuzhiyunCVE: CVE-2022-44638 2*4882a593SmuzhiyunUpstream-Status: Backport 3*4882a593SmuzhiyunSigned-off-by: Ross Burton <ross.burton@arm.com> 4*4882a593Smuzhiyun 5*4882a593SmuzhiyunFrom a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001 6*4882a593SmuzhiyunFrom: Matt Turner <mattst88@gmail.com> 7*4882a593SmuzhiyunDate: Wed, 2 Nov 2022 12:07:32 -0400 8*4882a593SmuzhiyunSubject: [PATCH] Avoid integer overflow leading to out-of-bounds write 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunThanks to Maddie Stone and Google's Project Zero for discovering this 11*4882a593Smuzhiyunissue, providing a proof-of-concept, and a great analysis. 12*4882a593Smuzhiyun 13*4882a593SmuzhiyunCloses: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 14*4882a593Smuzhiyun--- 15*4882a593Smuzhiyun pixman/pixman-trap.c | 2 +- 16*4882a593Smuzhiyun 1 file changed, 1 insertion(+), 1 deletion(-) 17*4882a593Smuzhiyun 18*4882a593Smuzhiyundiff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c 19*4882a593Smuzhiyunindex 91766fd..7560405 100644 20*4882a593Smuzhiyun--- a/pixman/pixman-trap.c 21*4882a593Smuzhiyun+++ b/pixman/pixman-trap.c 22*4882a593Smuzhiyun@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y, 23*4882a593Smuzhiyun 24*4882a593Smuzhiyun if (f < Y_FRAC_FIRST (n)) 25*4882a593Smuzhiyun { 26*4882a593Smuzhiyun- if (pixman_fixed_to_int (i) == 0x8000) 27*4882a593Smuzhiyun+ if (pixman_fixed_to_int (i) == 0xffff8000) 28*4882a593Smuzhiyun { 29*4882a593Smuzhiyun f = 0; /* saturate */ 30*4882a593Smuzhiyun } 31*4882a593Smuzhiyun-- 32*4882a593SmuzhiyunGitLab 33*4882a593Smuzhiyun 34