Fix memory corruption when y2sz is 0.

data is incremented one too many times when y2sz is zero, leading to
memory corruption.

[ also changed % 2 to & 1 -- Mikael ]

diff --git a/render/gradient.c b/render/gradient.c
index 8b6850f0e5a41adbea92d01f8f34007946069eed..60a0a5556a7157ea08ea63fe2d00594609acb8e4 100644 (file)
--- a/render/gradient.c
+++ b/render/gradient.c
@@ -507,11 +507,11 @@ static void gradient_splitvertical(RrAppearance *a, gint w, gint h)
     */
     if (h <= 5) {
         y1sz = MAX(h/2, 0);
-        y2sz = (h < 3 ? 0 : h % 2);
+        y2sz = (h < 3) ? 0 : (h & 1);
         y3sz = MAX(h/2, 1);
     }
     else {
-        y1sz = h/2 - (1 - (h % 2));
+        y1sz = h/2 - (1 - (h & 1));
         y2sz = 1;
         y3sz = h/2;
     }
@@ -534,13 +534,15 @@ static void gradient_splitvertical(RrAppearance *a, gint w, gint h)
     }
     *data = COLOR(y1);
     data += w;
-    for (y2 = y2sz-1; y2 > 0; --y2) {
+    if (y2sz) {
+        for (y2 = y2sz-1; y2 > 0; --y2) {
+            *data = COLOR(y2);
+            data += w;
+            NEXT(y2);
+        }
         *data = COLOR(y2);
         data += w;
-        NEXT(y2);
     }
-    *data = COLOR(y2);
-    data += w;
     for (y3 = y3sz-1; y3 > 0; --y3) {
         *data = COLOR(y3);
         data += w;