File b5752618.patch of Package cairo.40286

From b57526185d60b3e36bb0f6684cc0ae9ac2294972 Mon Sep 17 00:00:00 2001
From: William Bader <william@newspapersystems.com>
Date: Mon, 28 Apr 2025 05:01:45 +0200
Subject: [PATCH] Fix a NULL access in active_edges_to_traps(). The
 bentley-ottmann tessellation implementation uses an x of INT32_MAX as a
 sentinel. If a rectangle has an x of INT32_MAX, active_edges_to_traps() can
 read past the end of the edge list when building trapezoids. This patch
 reduces an x of INT32_MAX to INT32_MAX-1. This avoids the crash in
 https://gitlab.freedesktop.org/poppler/poppler/-/issues/1579 This is an
 alternative to the patch in
 https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/620 that adds a
 check for NULL pointers when traversing the edge list.

---
 src/cairo-bentley-ottmann-rectangular.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c
index 65f95d797..be01e04f7 100644
--- a/src/cairo-bentley-ottmann-rectangular.c
+++ b/src/cairo-bentley-ottmann-rectangular.c
@@ -847,6 +847,8 @@ _cairo_bentley_ottmann_tessellate_boxes (const cairo_boxes_t *in,
 		rectangles[j].left.x = box[i].p2.x;
 		rectangles[j].left.dir = -1;
 	    }
+	    if (rectangles[j].left.x == INT32_MAX) rectangles[j].left.x = INT32_MAX-1;
+	    if (rectangles[j].right.x == INT32_MAX) rectangles[j].right.x = INT32_MAX-1;
 
 	    rectangles[j].left.right = NULL;
 	    rectangles[j].right.right = NULL;
-- 
GitLab