[gnome-print] Access off beginning of array causes FPE on Alpha

From: Christian Marillat <marillat christian wanadoo fr>
To: gnome-print ximian com
Subject: [gnome-print] Access off beginning of array causes FPE on Alpha
Date: 26 Mar 2002 15:17:45 +0100

Hi,

Two patchs follows from a Debian user.

Christian

From: Doug Larrick <doug@jekyl.ddts.net>
Subject: Bug#139618: libgnomeprint15: Access off beginning of array causes FPE on Alpha
To: Debian Bug Tracking System <submit@bugs.debian.org>
Date: Sat, 23 Mar 2002 12:29:40 -0500
Reply-To: Doug Larrick <doug@jekyl.ddts.net>, 139618@bugs.debian.org
Resent-From: Doug Larrick <doug@jekyl.ddts.net>
X-Mailer: reportbug 1.48

Package: libgnomeprint15
Version: 0.35-3
Severity: normal
Tags: patch

The following brief patch fixes a problem where gfft2_move_to() is reading
an item at index -1 of an array.  On other platforms, this behavior probably
goes unnoticed, but on Alpha it leads to a floating point exception crash
because the location often does not contain a valid floating point number.  
This bug causes the print preview function to crash on Alpha.

--- gnome-font-face.c~	Fri Jan 11 22:52:59 2002
+++ gnome-font-face.c	Sat Mar 23 12:00:24 2002
@@ -724,7 +724,7 @@
 	p.x = to->x * od->t[0] + to->y * od->t[2];
 	p.y = to->x * od->t[1] + to->y * od->t[3];

-	if ((p.x != s->x3) || (p.y != s->y3)) {
+	if (od->end == 0 || (p.x != s->x3) || (p.y != s->y3)) {
 		od->bp[od->end].code = ART_MOVETO;
 		od->bp[od->end].x3 = to->x * od->t[0] + to->y * od->t[2];
 		od->bp[od->end].y3 = to->x * od->t[1] + to->y * od->t[3];

Similar to my prior patch, this misbehaviour is also accessing
uninitialized memory.  This time fields are unused in a particular
instance of a struct (since p->code is ART_END, the coordinates in p->x3
and p->y3 have never been assigned).  This bug caused a crash when
trying to actually print from Balsa (or presumably, other
gnome-print-using programs).

--- gp-path.c~	Thu Oct  4 16:04:11 2001
+++ gp-path.c	Sat Mar 23 13:08:08 2002
@@ -460,7 +460,8 @@
  		}
  	}
  -	if ((!closed) && ((start->x3 != p->x3) || (start->y3 != p->y3))) {
+	if ((!closed) && (p->code == ART_END || +
(start->x3 != p->x3) || (start->y3 != p->y3))) {

  		d->code = ART_LINETO;
  		d->x3 = start->x3;
  		d->y3 = start->y3;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]