Pointer out of range in examples/cairotwisted.c
Declaration of last_move_to
in parametrize_path
:
cairo_path_data_t *data, last_move_to = {{0,},}, current_point = {{0,},};
Assignment to last_move_to
, computation of an invalid pointer and its further usage for data[1]
:
case CAIRO_PATH_MOVE_TO:
last_move_to = data[1];
current_point = data[1];
break;
case CAIRO_PATH_CLOSE_PATH:
/* Make it look like it's a line_to to last_move_to */
data = (&last_move_to) - 1;
G_GNUC_FALLTHROUGH;
case CAIRO_PATH_LINE_TO:
parametrization[i] = two_points_distance (¤t_point, &data[1]);
current_point = data[1];
break;
So on the 236th line the subtraction produces the pointer that do not point into, or just beyond, the same array object. A pointer to last_move_to
that is not an element of an array behaves the same as a pointer to the first element of an array of length one. I think you shoud use cairo_path_data_t[2]
as a type of last_move_to
(and change usage of it a bit) instead of invalid subtraction.
There is the same ub in function point_on_path
.