Run `valgrind imlib2_test`, move mouse to right lower corner, got
==16086== Invalid read of size 1
==16086== at 0x4E79C4E: __imlib_MergeUpdate (in
/usr/lib/x86_64-linux-gnu/libImlib2.so.1.4.6)
==16086== by 0x401773: main (in /usr/bin/imlib2_test)
==16086== Address 0x9d20360 is 0 bytes after a block of size 1,200
alloc'd
==16086== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==16086== by 0x4E798E3: __imlib_MergeUpdate (in
/usr/lib/x86_64-linux-gnu/libImlib2.so.1.4.6)
==16086== by 0x401773: main (in /usr/bin/imlib2_test)
It is at src/lib/updates.c:
|113| for (xx = x + 1, ww = 1;
|
>|114| (T(xx, y).used & T_USED) && (xx < tw);
xx++,|
|115| for (yy = y + 1, hh = 1, ok = 1;
|
xx is 20 and tw is 20, so T(xx, y) addresses one byte out of buffer.
Two *alternative* patches attached (apply only *one* of them).
TODO: I have not tried to search for similar pattern over codebase (yet).
Debian-Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819818
Description: off-by-one out-of-bound read due to reversed condtion
Author: Yuriy M. Kaminksiy <[email protected]>
Debian-Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819818
Note: you need *either* off-by-one-alternative.patch, *or* this patch;
DO NOT APPLY BOTH! (it won't break, but would unnecessarily clutter code)
Index: imlib2-1.4.6/src/lib/updates.c
===================================================================
--- imlib2-1.4.6.orig/src/lib/updates.c
+++ imlib2-1.4.6/src/lib/updates.c
@@ -111,7 +111,7 @@ __imlib_MergeUpdate(ImlibUpdate * u, int
int xx, yy, ww, hh, ok;
for (xx = x + 1, ww = 1;
- (T(xx, y).used & T_USED) && (xx < tw); xx++, ww++);
+ (xx < tw) && (T(xx, y).used & T_USED); xx++, ww++);
for (yy = y + 1, hh = 1, ok = 1;
(yy < th) && (ok); yy++, hh++)
{
Description: off-by-one out-of-bound read due to reversed condtion, alternative solution (allocates one more guard cell).
Author: Yuriy M. Kaminksiy <[email protected]>
Debian-Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819818
Note: you need *either* off-by-one-reversed-condition.patch, *or* this patch;
DO NOT APPLY BOTH! (it won't break, but would unnecessarily clutter code)
Index: imlib2-1.4.6/src/lib/updates.c
===================================================================
--- imlib2-1.4.6.orig/src/lib/updates.c
+++ imlib2-1.4.6/src/lib/updates.c
@@ -34,13 +34,14 @@ __imlib_MergeUpdate(ImlibUpdate * u, int
th = h >> TB;
if (h & TM)
th++;
- t = malloc(tw * th * sizeof(struct _tile));
+ t = malloc((tw * th + 1) * sizeof(struct _tile));
/* fill in tiles to be all not used */
for (i = 0, y = 0; y < th; y++)
{
for (x = 0; x < tw; x++)
t[i++].used = T_UNUSED;
}
+ t[i].used = T_UNUSED;
/* fill in all tiles */
for (uu = u; uu; uu = uu->next)
{
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
enlightenment-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
