From 1898f3949cf75422aa1fedba40c429b28d8d6b67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
Date: Wed, 6 Aug 2014 18:34:56 +0200
Subject: Fix crash when clearing surface memory

The beginning of the surface data needs to be computed correctly if the
stride is negative, otherwise, it should point already to the beginning
of the surface data. This bug seems to exists since 4a208b (0.5.2)

https://bugzilla.redhat.com/show_bug.cgi?id=1029646

diff --git a/server/red_worker.c b/server/red_worker.c
index 6bdad93..35a1a04 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -9470,7 +9470,11 @@ static inline void red_create_surface(RedWorker *worker, uint32_t surface_id, ui
     surface->context.stride = stride;
     surface->context.line_0 = line_0;
     if (!data_is_valid) {
-        memset((char *)line_0 + (int32_t)(stride * (height - 1)), 0, height*abs(stride));
+        char *data = line_0;
+        if (stride < 0) {
+            data -= abs(stride) * (height - 1);
+        }
+        memset(data, 0, height*abs(stride));
     }
     surface->create.info = NULL;
     surface->destroy.info = NULL;
-- 
cgit v0.10.2