On 04/05/2016 06:48 AM, Yuriy M. Kaminskiy wrote: > As reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639414 > imlib_image_draw_ellipse(4,4,2,1) triggers divide-by-zero and SIGFPE. > I verified that bug can be reproduced in the current imlib2. > Attached patch prevents sigfpe, but probably results in incorrect > drawing. > Minor security implications: DoS, if an application draws ellipse using > coordinates from untrusted input. > Hi
Attached is a better patch, dx / dy are slowly decrementing so cutting them of at 1 seems reasonable. These variables combined with xx and yy are only used to work out if x or y has changed since the last iteration then increment or decrement the other variables and continue the loop. From looking at the first loop In the case where b == 0, dx and dy will always be 0 as well in which case the loop won't run due to dy < dx. As dy is incremented by b*b and dx is decremented by a*a to replicate this issue a*a*b - a*a == 0, in other words when b == 1. Presuming this is implementing 1 of 2 common ellipse drawing algorithms we are probably talking about drawing ellipses that are either 1 or 2 pixels high and were probably never going to draw that well anyway. Cheers -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adeliade Australia, UTC+9:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
Index: imlib2-1.4.2/src/lib/ellipse.c
===================================================================
--- imlib2-1.4.2.orig/src/lib/ellipse.c
+++ imlib2-1.4.2/src/lib/ellipse.c
@@ -71,6 +71,9 @@ __imlib_Ellipse_DrawToData(int xc, int y
if (IN_RANGE(rx, by, clw, clh))
pfunc(color, bp + len);
+ if (dx < 1)
+ dx = 1;
+
dy += b2;
yy -= ((dy << 16) / dx);
lx--;
@@ -123,6 +126,9 @@ __imlib_Ellipse_DrawToData(int xc, int y
if (IN_RANGE(rx, by, clw, clh))
pfunc(color, bp + len);
+ if (dy < 1)
+ dy = 1;
+
dx -= a2;
xx += ((dx << 16) / dy);
ty++;
@@ -222,6 +228,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, in
if (IN_RANGE(rx, by, clw, clh))
pfunc(col1, bp + len);
+ if (dx < 1)
+ dx = 1;
+
dy += b2;
yy -= ((dy << 16) / dx);
lx--;
@@ -295,6 +304,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, in
if (IN_RANGE(rx, by, clw, clh))
pfunc(col1, bp + len);
+ if (dy < 1)
+ dy = 1;
+
dx -= a2;
xx += ((dx << 16) / dy);
ty++;
@@ -395,6 +407,9 @@ __imlib_Ellipse_FillToData(int xc, int y
if (IN_RANGE(rx, by, clw, clh))
pfunc(color, bp + len);
+ if (dx < 1)
+ dx = 1;
+
dy += b2;
yy -= ((dy << 16) / dx);
lx--;
@@ -453,6 +468,9 @@ __imlib_Ellipse_FillToData(int xc, int y
if (((unsigned)(by) < clh) && (len > 0))
sfunc(color, bpp, len);
+ if (dy < 1)
+ dy = 1;
+
dx -= a2;
xx += ((dx << 16) / dy);
ty++;
@@ -556,6 +574,9 @@ __imlib_Ellipse_FillToData_AA(int xc, in
if (IN_RANGE(rx, by, clw, clh))
pfunc(col1, bp + len);
+ if (dx < 1)
+ dx = 1;
+
dy += b2;
yy -= ((dy << 16) / dx);
lx--;
@@ -629,6 +650,9 @@ __imlib_Ellipse_FillToData_AA(int xc, in
if (IN_RANGE(rx, by, clw, clh))
pfunc(col1, bp + len);
+ if (dy < 1)
+ dy = 1;
+
dx -= a2;
xx += ((dx << 16) / dy);
ty++;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
