[EGIT] [core/efl] efl-1.20 12/47: evas: Prevent crash with image_data_get

Tue, 07 Nov 2017 01:40:29 -0800 

raster pushed a commit to branch efl-1.20.

http://git.enlightenment.org/core/efl.git/commit/?id=b97783d4c400f8a2c0bf3bc6c649079798d14068

commit b97783d4c400f8a2c0bf3bc6c649079798d14068
Author: Jean-Philippe Andre <jp.an...@samsung.com>
Date:   Wed Oct 18 21:40:01 2017 +0900

    evas: Prevent crash with image_data_get
    
    If the image has no data, it may get an allocated surface of 1x1 but it
    is not sane to return the pointer to that data, as the user would expect
    a normally sized image (in my case, 1920x1080).
    
    I do not fully understand what is going on with this image. But at least
    this transforms a crash into a simple ERR in ~/.xessions-errors
    
    Two similar crashes happened:
     - SIGSEGV by writing data outside of the image data
     - abort() in free() because the malloc metadata has been overridden
       when writing outside of the image data (newly allocated 1x1).
    
    Fixes T5957
    
    @fix
---
 src/modules/evas/engines/gl_generic/evas_engine.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/modules/evas/engines/gl_generic/evas_engine.c 
b/src/modules/evas/engines/gl_generic/evas_engine.c
index 3fe5eb8dfa..3386baf8e1 100644
--- a/src/modules/evas/engines/gl_generic/evas_engine.c
+++ b/src/modules/evas/engines/gl_generic/evas_engine.c
@@ -672,7 +672,6 @@ _rotate_image_data(Render_Engine_GL_Generic *re, 
Evas_GL_Image *im1)
 
    w = im1->w;
    h = im1->h;
-   alpha = eng_image_alpha_get(re, im1);
 
    if (im1->orient == EVAS_IMAGE_ORIENT_90 ||
        im1->orient == EVAS_IMAGE_ORIENT_270 ||
@@ -683,6 +682,10 @@ _rotate_image_data(Render_Engine_GL_Generic *re, 
Evas_GL_Image *im1)
         h = im1->w;
      }
 
+   if ((w * h) <= 0) return NULL;
+
+   alpha = eng_image_alpha_get(re, im1);
+   gl_context = gl_generic_context_find(re, 1);
    im2 = evas_gl_common_image_surface_new(gl_context, w, h, alpha, EINA_FALSE);
 
    evas_gl_common_context_target_surface_set(gl_context, im2);
@@ -874,8 +877,18 @@ eng_image_data_get(void *engine, void *image, int 
to_write, DATA32 **image_data,
 #endif
      error = evas_cache_image_load_data(&im->im->cache_entry);
 
+   if (err) *err = error;
    if (error != EVAS_LOAD_ERROR_NONE)
      {
+        if (!im->im->image.data ||
+            (im->im->cache_entry.allocated.w != (unsigned) im->w) ||
+            (im->im->cache_entry.allocated.h != (unsigned) im->h))
+          {
+             ERR("GL image has no source data, failed to get pixel data");
+             *image_data = NULL;
+             return im;
+          }
+
         if (tofree && !to_write)
           goto rotate_image;
      }

--

Reply via email to