As reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639414
imlib_image_draw_ellipse(4,4,2,1) triggers divide-by-zero and SIGFPE.
I verified that bug can be reproduced in the current imlib2.
Attached patch prevents sigfpe, but probably results in incorrect
drawing.
Minor security implications: DoS, if an application draws ellipse using
coordinates from untrusted input.

Description: fix divide-by-zero on drawing 2x1 ellipse
Author: Yuriy M. Kaminskiy <yumkam+deb...@gmail.com>
Note: resulting images are probably incorrect; but SIGFPE is certainly worse.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639414

Index: imlib2-1.4.6/src/lib/ellipse.c
===================================================================
--- imlib2-1.4.6.orig/src/lib/ellipse.c
+++ imlib2-1.4.6/src/lib/ellipse.c
@@ -54,6 +54,7 @@ __imlib_Ellipse_DrawToData(int xc, int y
           {
              prev_y = y;
              dx -= a2;
+             if (dx == 0) break; /* FIXME likely incorrect */
              ty++;
              by--;
              tp += dstw;
@@ -95,6 +96,9 @@ __imlib_Ellipse_DrawToData(int xc, int y
    tp += dstw;
    bp -= dstw;
 
+   if (dy == 0) /* FIXME likely incorrect */
+      return;
+
    while (ty < yc)
      {
         int                 len;
@@ -185,6 +189,7 @@ __imlib_Ellipse_DrawToData_AA(int xc, in
           {
              prev_y = y;
              dx -= a2;
+             if (dx == 0) break; /* FIXME likely incorrect */
              ty++;
              by--;
              tp += dstw;
@@ -247,6 +252,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, in
    tp += dstw;
    bp -= dstw;
 
+   if (dy == 0) /* FIXME likely incorrect */
+      return;
+
    while (ty < yc)
      {
         int                 len;
@@ -360,6 +368,7 @@ __imlib_Ellipse_FillToData(int xc, int y
           {
              prev_y = y;
              dx -= a2;
+             if (dx == 0) break; /* FIXME likely incorrect */
              ty++;
              by--;
              tp += dstw;
@@ -417,6 +426,9 @@ __imlib_Ellipse_FillToData(int xc, int y
    tp += dstw;
    bp -= dstw;
 
+   if (dy == 0) /* FIXME likely incorrect */
+      return;
+
    while (ty < yc)
      {
         int                 len;
@@ -517,6 +529,7 @@ __imlib_Ellipse_FillToData_AA(int xc, in
           {
              prev_y = y;
              dx -= a2;
+             if (dx == 0) break; /* FIXME likely incorrect */
              ty++;
              by--;
              tp += dstw;
@@ -579,6 +592,9 @@ __imlib_Ellipse_FillToData_AA(int xc, in
    tp += dstw;
    bp -= dstw;
 
+   if (dy == 0) /* FIXME likely incorrect */
+      return;
+
    while (ty < yc)
      {
         int                 len;
------------------------------------------------------------------------------
_______________________________________________
enlightenment-devel mailing list
enlightenment-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel

Reply via email to