As reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639414 imlib_image_draw_ellipse(4,4,2,1) triggers divide-by-zero and SIGFPE. I verified that bug can be reproduced in the current imlib2. Attached patch prevents sigfpe, but probably results in incorrect drawing. Minor security implications: DoS, if an application draws ellipse using coordinates from untrusted input.
Description: fix divide-by-zero on drawing 2x1 ellipse Author: Yuriy M. Kaminskiy <yumkam+deb...@gmail.com> Note: resulting images are probably incorrect; but SIGFPE is certainly worse. Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639414 Index: imlib2-1.4.6/src/lib/ellipse.c =================================================================== --- imlib2-1.4.6.orig/src/lib/ellipse.c +++ imlib2-1.4.6/src/lib/ellipse.c @@ -54,6 +54,7 @@ __imlib_Ellipse_DrawToData(int xc, int y { prev_y = y; dx -= a2; + if (dx == 0) break; /* FIXME likely incorrect */ ty++; by--; tp += dstw; @@ -95,6 +96,9 @@ __imlib_Ellipse_DrawToData(int xc, int y tp += dstw; bp -= dstw; + if (dy == 0) /* FIXME likely incorrect */ + return; + while (ty < yc) { int len; @@ -185,6 +189,7 @@ __imlib_Ellipse_DrawToData_AA(int xc, in { prev_y = y; dx -= a2; + if (dx == 0) break; /* FIXME likely incorrect */ ty++; by--; tp += dstw; @@ -247,6 +252,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, in tp += dstw; bp -= dstw; + if (dy == 0) /* FIXME likely incorrect */ + return; + while (ty < yc) { int len; @@ -360,6 +368,7 @@ __imlib_Ellipse_FillToData(int xc, int y { prev_y = y; dx -= a2; + if (dx == 0) break; /* FIXME likely incorrect */ ty++; by--; tp += dstw; @@ -417,6 +426,9 @@ __imlib_Ellipse_FillToData(int xc, int y tp += dstw; bp -= dstw; + if (dy == 0) /* FIXME likely incorrect */ + return; + while (ty < yc) { int len; @@ -517,6 +529,7 @@ __imlib_Ellipse_FillToData_AA(int xc, in { prev_y = y; dx -= a2; + if (dx == 0) break; /* FIXME likely incorrect */ ty++; by--; tp += dstw; @@ -579,6 +592,9 @@ __imlib_Ellipse_FillToData_AA(int xc, in tp += dstw; bp -= dstw; + if (dy == 0) /* FIXME likely incorrect */ + return; + while (ty < yc) { int len;
------------------------------------------------------------------------------
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel