From 7455c293c66898ca0841f5f984ada43feb5c088a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= <verdre@v0yd.nl>
Date: Sun, 19 Feb 2023 12:19:43 +0100
Subject: [PATCH] window-actor-x11: Check array bounds before accessing array

scan_visible_region() scans through each value of a uint8_t array and checks
whether that value is 255. Right now it always checks one value too much
though, resulting in a buffer overflow. Fix that by checking the array
bounds before actually accessing the array.

Found by running gnome-shell with address sanitizer and starting
GIMP.

Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2856>
---
 src/compositor/meta-window-actor-x11.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/compositor/meta-window-actor-x11.c b/src/compositor/meta-window-actor-x11.c
index bdca02eb9..edc48885e 100644
--- a/src/compositor/meta-window-actor-x11.c
+++ b/src/compositor/meta-window-actor-x11.c
@@ -723,7 +723,7 @@ scan_visible_region (guchar         *mask_data,
           for (x = rect.x; x < (rect.x + rect.width); x++)
             {
               int x2 = x;
-              while (mask_data[y * stride + x2] == 255 && x2 < (rect.x + rect.width))
+              while (x2 < (rect.x + rect.width) && mask_data[y * stride + x2] == 255)
                 x2++;
 
               if (x2 > x)