[gimp/gimp-2-10] Issue #6610: crashes on free select for images of certain dimensions.

From: Jehan <jehanp src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp/gimp-2-10] Issue #6610: crashes on free select for images of certain dimensions.
Date: Wed, 4 Aug 2021 17:36:23 +0000 (UTC)

commit 5ad7ef10c3976eea3b605fcdc0843d80dee3e750
Author: Jehan <jehan girinstud io>
Date:   Wed Aug 4 00:29:56 2021 +0200

    Issue #6610: crashes on free select for images of certain dimensions.
    
    g_alloca() is unadvised. Even though it might be more efficient in some
    specific cases, it is pretty subject to stack overflow when a lot of
    memory is requested.
    
    Let's allocate dynamic memory instead. To avoid doing it too much, let's
    just reuse the same pointer especially since region of interest will
    usually be the same size when iterating a buffer, except for border
    ones (which would usually be smaller, so we can use the same allocated
    buffer again). I still make size checks, just in case.
    
    (cherry picked from commit f2fb98cb690414f0741aa6a46759616e18d6e186)

 app/core/gimpscanconvert.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)
---
diff --git a/app/core/gimpscanconvert.c b/app/core/gimpscanconvert.c
index dc763bc4b0..ed5859c5d8 100644
--- a/app/core/gimpscanconvert.c
+++ b/app/core/gimpscanconvert.c
@@ -497,6 +497,8 @@ gimp_scan_convert_render_full (GimpScanConvert *sc,
                                gdouble          value)
 {
   const Babl         *format;
+  guchar             *shared_buf      = NULL;
+  gsize               shared_buf_size = 0;
   GeglBufferIterator *iter;
   GeglRectangle      *roi;
   cairo_t            *cr;
@@ -545,7 +547,13 @@ gimp_scan_convert_render_full (GimpScanConvert *sc,
        */
       if (roi->width * bpp != stride)
         {
-          tmp_buf = g_alloca (stride * roi->height);
+          if (shared_buf_size < stride * roi->height)
+            {
+              shared_buf_size = stride * roi->height;
+              g_free (shared_buf);
+              shared_buf = g_malloc (shared_buf_size);
+            }
+          tmp_buf = shared_buf;
 
           if (! replace)
             {
@@ -634,4 +642,6 @@ gimp_scan_convert_render_full (GimpScanConvert *sc,
             }
         }
     }
+
+  g_free (shared_buf);
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]