Bug#1123562: marked as done (libimlib2t64: Integer overflow in _DrawGradient function)

Wed, 04 Feb 2026 01:07:26 -0800 

Your message dated Wed, 04 Feb 2026 09:06:09 +0000
with message-id <[email protected]>
and subject line Bug#1123562: fixed in imlib2 1.12.6-1
has caused the Debian Bug report #1123562,
regarding libimlib2t64: Integer overflow in _DrawGradient function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1123562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123562
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libimlib2t64
Version: 1.12.5-1
Severity: normal
Tags: patch

Dear Maintainer,
The imlib2-1.12.5 packages contain an integer overflow bug in the _DrawGradient 
function.  This bug has been fix in the upstream git repository, but
imlib2-1.12.6 has not been released yet.  In the meantime, the attached
patches (extracted directly from the master repository at
https://git.enlightenment.org/old/legacy-imlib2) should be applied to
the imlib2-1.12.5 source.

Please note that "gradient-fix.patch" must be applied before
"gradient-stretch.patch".
This fix improves the functionality of the hsetroot utility on high-resolution 
(QHD and higher) monitors.

Brian Lindholm

-- System Information:
Debian Release: forky/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.17.12-t8 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set 
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libimlib2t64 depends on:
ii  libbz2-1.0       1.0.8-6
ii  libc6            2.42-5
ii  libcairo2        1.18.4-1+b1
ii  libfreetype6     2.13.3+dfsg-1
ii  libgif7          5.2.2-1+b1
ii  libglib2.0-0t64  2.86.3-1
ii  libheif1         1.20.2-2+b4
ii  libid3tag0       0.16.3-2
ii  libjpeg62-turbo  1:2.1.5-4
ii  libjxl0.11       0.11.1-6
ii  liblzma5         5.8.1-2
ii  libopenjp2-7     2.5.3-2.1
ii  libpng16-16t64   1.6.53-1
ii  librsvg2-2       2.61.3+dfsg-2
ii  libspectre1      0.2.12-1+b2
ii  libtiff6         4.7.1-1
ii  libwebpdemux2    1.5.0-0.1
ii  libx11-6         2:1.8.12-1
ii  libx11-xcb1      2:1.8.12-1
ii  libxcb-shm0      1.17.0-2+b1
ii  libxcb1          1.17.0-2+b1
ii  libxext6         2:1.3.4-1+b3
ii  zlib1g           1:1.3.dfsg+really1.3.1-1+b2

libimlib2t64 recommends no packages.

libimlib2t64 suggests no packages.

-- no debconf information

From c30f8528585f86fa0dfe68f391251e23187d662a Mon Sep 17 00:00:00 2001
From: Kim Woelders <[email protected]>
Date: Wed, 3 Dec 2025 18:38:07 +0100
Subject: [PATCH] gradients: Fix rendering of gradients in larger images

The color table was generated incorrectly due to integer overflows.

Patch by Brian Lindholm (tweaked).
---
 src/lib/grad.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/grad.c b/src/lib/grad.c
index d7b0efa..5afd08f 100644
--- a/src/lib/grad.c
+++ b/src/lib/grad.c
@@ -319,22 +319,22 @@ _DrawGradient(ImlibImage *im, int x, int y, int w, int h,
     if (xx < 0)
     {
         for (i = 0; i < ww; i++)
-            hlut[i] = (-xx * (ww - 1 - i) * len) / divw;
+            hlut[i] = (-xx * (ww - 1 - i) * (uint64_t) len) / divw;
     }
     else
     {
         for (i = 0; i < ww; i++)
-            hlut[i] = (xx * i * len) / divw;
+            hlut[i] = (xx * i * (uint64_t) len) / divw;
     }
     if (yy < 0)
     {
         for (i = 0; i < hh; i++)
-            vlut[i] = (-yy * (hh - 1 - i) * len) / divh;
+            vlut[i] = (-yy * (hh - 1 - i) * (uint64_t) len) / divh;
     }
     else
     {
         for (i = 0; i < hh; i++)
-            vlut[i] = (yy * i * len) / divh;
+            vlut[i] = (yy * i * (uint64_t) len) / divh;
     }
     jump = im->w - w;
 

From 1e92ccf562de6b26c9dc4713a6b91b8adf666978 Mon Sep 17 00:00:00 2001
From: Kim Woelders <[email protected]>
Date: Mon, 8 Dec 2025 19:39:07 +0100
Subject: [PATCH] gradients: Better gradients with angles

Strech to get full range.
Based on patch by Brian Lindholm.

Also dropping some now unnecessary casts.
---
 src/lib/grad.c | 53 +++++++++++++++++++++-----------------------------
 1 file changed, 22 insertions(+), 31 deletions(-)

diff --git a/src/lib/grad.c b/src/lib/grad.c
index 5afd08f..f927382 100644
--- a/src/lib/grad.c
+++ b/src/lib/grad.c
@@ -243,9 +243,10 @@ _DrawGradient(ImlibImage *im, int x, int y, int w, int h,
               int clx, int cly, int clw, int clh, ImlibRangeMapFunc *rmf)
 {
     uint32_t       *map, *p;
-    int            *hlut, *vlut, len;
+    int            *hlut, *vlut;
+    uint64_t        len, ll;
     int             xx, yy, xoff, yoff, ww, hh, jump;
-    int             tmp, i, divw, divh;
+    int             tmp, i, divw, divh, maxlut;
     uint8_t         r, g, b, a;
 
     xoff = yoff = 0;
@@ -316,25 +317,30 @@ _DrawGradient(ImlibImage *im, int x, int y, int w, int h,
         divw = 1;
     if (divh < 1)
         divh = 1;
+
     if (xx < 0)
     {
         for (i = 0; i < ww; i++)
-            hlut[i] = (-xx * (ww - 1 - i) * (uint64_t) len) / divw;
+            hlut[i] = (-xx * (ww - 1 - i) * len) / divw;
+        maxlut = hlut[0];
     }
     else
     {
         for (i = 0; i < ww; i++)
-            hlut[i] = (xx * i * (uint64_t) len) / divw;
+            hlut[i] = (xx * i * len) / divw;
+        maxlut = hlut[ww - 1];
     }
     if (yy < 0)
     {
         for (i = 0; i < hh; i++)
-            vlut[i] = (-yy * (hh - 1 - i) * (uint64_t) len) / divh;
+            vlut[i] = (-yy * (hh - 1 - i) * len) / divh;
+        maxlut += vlut[0];
     }
     else
     {
         for (i = 0; i < hh; i++)
-            vlut[i] = (yy * i * (uint64_t) len) / divh;
+            vlut[i] = (yy * i * len) / divh;
+        maxlut += vlut[hh - 1];
     }
     jump = im->w - w;
 
@@ -349,11 +355,8 @@ _DrawGradient(ImlibImage *im, int x, int y, int w, int h,
             {
                 for (xx = 0; xx < w; xx++)
                 {
-                    i = vlut[yoff + yy] + hlut[xoff + xx];
-                    if (i < 0)
-                        i = 0;
-                    else if (i >= len)
-                        i = len - 1;
+                    ll = len * (vlut[yoff + yy] + hlut[xoff + xx]);
+                    i = (ll > 0) ? (ll - 1) / maxlut : 0;
                     ARGB_TO_R_G_B_A(map[i], r, g, b, a);
                     BLEND_DST_ALPHA(r, g, b, a, p);
                     p++;
@@ -367,11 +370,8 @@ _DrawGradient(ImlibImage *im, int x, int y, int w, int h,
             {
                 for (xx = 0; xx < w; xx++)
                 {
-                    i = vlut[yoff + yy] + hlut[xoff + xx];
-                    if (i < 0)
-                        i = 0;
-                    else if (i >= len)
-                        i = len - 1;
+                    ll = len * (vlut[yoff + yy] + hlut[xoff + xx]);
+                    i = (ll > 0) ? (ll - 1) / maxlut : 0;
                     ARGB_TO_R_G_B_A(map[i], r, g, b, a);
                     BLEND(r, g, b, a, p);
                     p++;
@@ -385,11 +385,8 @@ _DrawGradient(ImlibImage *im, int x, int y, int w, int h,
         {
             for (xx = 0; xx < w; xx++)
             {
-                i = vlut[yoff + yy] + hlut[xoff + xx];
-                if (i < 0)
-                    i = 0;
-                else if (i >= len)
-                    i = len - 1;
+                ll = len * (vlut[yoff + yy] + hlut[xoff + xx]);
+                i = (ll > 0) ? (ll - 1) / maxlut : 0;
                 ARGB_TO_R_G_B_A(map[i], r, g, b, a);
                 BLEND_SUB(r, g, b, a, p);
                 p++;
@@ -402,11 +399,8 @@ _DrawGradient(ImlibImage *im, int x, int y, int w, int h,
         {
             for (xx = 0; xx < w; xx++)
             {
-                i = vlut[yoff + yy] + hlut[xoff + xx];
-                if (i < 0)
-                    i = 0;
-                else if (i >= len)
-                    i = len - 1;
+                ll = len * (vlut[yoff + yy] + hlut[xoff + xx]);
+                i = (ll > 0) ? (ll - 1) / maxlut : 0;
                 ARGB_TO_R_G_B_A(map[i], r, g, b, a);
                 BLEND_SUB(r, g, b, a, p);
                 p++;
@@ -419,11 +413,8 @@ _DrawGradient(ImlibImage *im, int x, int y, int w, int h,
         {
             for (xx = 0; xx < w; xx++)
             {
-                i = vlut[yoff + yy] + hlut[xoff + xx];
-                if (i < 0)
-                    i = 0;
-                else if (i >= len)
-                    i = len - 1;
+                ll = len * (vlut[yoff + yy] + hlut[xoff + xx]);
+                i = (ll > 0) ? (ll - 1) / maxlut : 0;
                 ARGB_TO_R_G_B_A(map[i], r, g, b, a);
                 BLEND_RE(r, g, b, a, p);
                 p++;

--- End Message ---
--- Begin Message --- 
Source: imlib2
Source-Version: 1.12.6-1
Done: Markus Koschany <[email protected]>

We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated imlib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Feb 2026 09:31:26 +0100
Source: imlib2
Architecture: source
Version: 1.12.6-1
Distribution: unstable
Urgency: medium
Maintainer: Markus Koschany <[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1123562
Changes:
 imlib2 (1.12.6-1) unstable; urgency=medium
 .
   * New upstream version 1.12.6.
     - Fix Integer overflow in _DrawGradient function. (Closes: #1123562)
       Thanks to Brian Lindholm for the report.
   * Declare compliance with Debian Policy 4.7.3.
Checksums-Sha1:
 070c267726f89adb57f7303c31a13041f430d783 2341 imlib2_1.12.6-1.dsc
 b2c4c1a3279f7aaf522c18e2d87a6061a5fe8e68 522992 imlib2_1.12.6.orig.tar.xz
 71d354a588e171f6e54f7919f465bbaff95d6f06 11960 imlib2_1.12.6-1.debian.tar.xz
 6eed952ba95c69fbc9c04b1861cc7d8490e6e67c 13136 imlib2_1.12.6-1_amd64.buildinfo
Checksums-Sha256:
 92c082143d4bdacf13e2748981af12428aab1ca98dec8bf9af83f761f80f5168 2341 
imlib2_1.12.6-1.dsc
 669ab28c4589f0ef16d4cc29b260d257f3781d594230d7b3f9ec5773c32a7796 522992 
imlib2_1.12.6.orig.tar.xz
 b8f998cd8cb38fd631c9fd94420fe7f73f4dcc3dbf82cdb80bc8d374e0c1a595 11960 
imlib2_1.12.6-1.debian.tar.xz
 242450fdf36f270915da735ab5df56697d48e567b6062aede14fb7e6ed24970d 13136 
imlib2_1.12.6-1_amd64.buildinfo
Files:
 686a9116d8d953b557a9e6e8b5ea8d0d 2341 libs optional imlib2_1.12.6-1.dsc
 d8c8b3bc913b3c99ff8a3deef66660cd 522992 libs optional imlib2_1.12.6.orig.tar.xz
 735ba3a718ea6f14cde3931489a01615 11960 libs optional 
imlib2_1.12.6-1.debian.tar.xz
 eec78c6ad0a5bfd005ce109ba4831c79 13136 libs optional 
imlib2_1.12.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmmDBdRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkqEUP/ih3gwJGUX3dNb3Huol1qSUzVlCnRwZ0YYqA
YJOt6tPctz1VnYZa2UwAowdaaN/H5YYcMjl2mELF3UkCnrJogpi71QDZm2de8L/c
X17ZvNQ9+x/OKdocIV5z3JYwXufz/cI0fBlB3FxAfSXIAI4T4C/2Td+/8j0qJZo6
ULIowM67LBBWnDWvpu8OSN0dwjBxpM+MQRMgFtqW3xf9IN8Ut1QihH3dnvziVGw8
ZVzUTtyRoj39sgqSnamw7VN/uvyEBSoOSlSyVaPjxo5k3LWDULbPtHeNrGprKt/K
TE7Qz/sSlsC0l9ZrSRJD4lu2bCZ9fw+IeVOY5BF2Xnry8/nR4FXYtrcPsSP8ecTI
84o2tMJHFqS6nPSuuaxYK++cNujYT/9+JW/+O6b+RGFEKPEgs81MJrxOpg9ay0ht
VTgJXt8K/U/B1PvHmA32E8TawdubxasBBTLWzDizbbHMQTzoJb5ixU46SjkThM32
NpU8W6XSucXJbG5ERrNDVST7d4Py1NMwwdydNM7tBJ1Lm2b90LLTZrvUxbYMxAJO
uXD1pEwzV8faxEmMzdg3hQk/i1nvmtJCfpKjXDCqLFLxRRMF3abJuCw7EamO2Zlr
/godN5Gdj6ipmHhAOj5zDnCOJTUipnPkI5LBa5jy8GAr7yUKUfH4tm7TZUlD2hOS
b1bWLxM9
=/8Au
-----END PGP SIGNATURE-----

Attachment: pgpW4NWNaIOux.pgp
Description: PGP signature


--- End Message ---

Reply via email to