| commit | 1f3adb0ea5171f990b2299fb6e2c9f25030ccbd3 | |
| author | Martin Frydl <mfrydl@gmail.com> | |
| Fri, 26 Feb 2010 10:10:18 +0000 (26 11:10 +0100) | ||
| committer | Carlos R. Mafra <crmafra@gmail.com> | |
| Fri, 26 Feb 2010 12:15:18 +0000 (26 13:15 +0100) | ||
| tree | f29a9fbce408c4bb854a85f0cae9e1ea98874205 | treesnapshot (tar.gz zip) |
| parent | ad853b386eaf46cb537500e42aaa601ca80a26fe | commitdiff |
Patch for WINGs buffer overflow
I've found a buffer overflow problem in RSmoothScaleImage. There are
some scaling calculations involving floats which are finally converted
to integers. Since such conversion does not round the number, just
truncates the decimal part, sometimes the number is smaller than it
should be. As a result, smaller buffer is allocated for picture
scaling and thus buffer overflow occurs.
Strange thing is that this bug has not appeared earlier so it probably
has something to do with newer gcc or glibc (I switch from
"prehistoric" Fedora Core 5 to Fedora 12).
<What about the symptoms?>
There were several ones, probably depending on application version and
compilation flags. First, it just stopped responding. Looking at the
process with strace I saw it locked in some FUTEX wait (unfortunately
I don't have the logs). Second, it just crashed. And last I got
complaint from glibc about double free or corrupted heap before
malloc. I've found the bug through wmweather+ dockapp, versions 2.9
and 2.11 (http://sourceforge.net/projects/wmweatherplus/), I've never
encountered it in WindowMaker itself.
I've found a buffer overflow problem in RSmoothScaleImage. There are
some scaling calculations involving floats which are finally converted
to integers. Since such conversion does not round the number, just
truncates the decimal part, sometimes the number is smaller than it
should be. As a result, smaller buffer is allocated for picture
scaling and thus buffer overflow occurs.
Strange thing is that this bug has not appeared earlier so it probably
has something to do with newer gcc or glibc (I switch from
"prehistoric" Fedora Core 5 to Fedora 12).
<What about the symptoms?>
There were several ones, probably depending on application version and
compilation flags. First, it just stopped responding. Looking at the
process with strace I saw it locked in some FUTEX wait (unfortunately
I don't have the logs). Second, it just crashed. And last I got
complaint from glibc about double free or corrupted heap before
malloc. I've found the bug through wmweather+ dockapp, versions 2.9
and 2.11 (http://sourceforge.net/projects/wmweatherplus/), I've never
encountered it in WindowMaker itself.
| wrlib/scale.c | diffblobblamehistory |