Re: [Pixman] [PATCH] pixman-general: Fix stack related pointer arithmetic overflow

[Ludovic Courtès]

Oded Gabbay  skribis:

> I tested the patch and it fixed the crash on my computer.
>
> I pushed it to master:
> 4297e90..8b49d4b  master -> master
>
> and to 0.32 branch:
> d6a4a56..204fcd2  0.32 -> 0.32

Great, thanks to all of you.

Ludo’.
___
Pixman mailing list
Pixman@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/pixman

[Pixman] [PATCH] Fix arithmetic overflow in pointer arithmetic in ‘general_composite_rect’

[Ludovic Courtès]

Hello,

The patch below intends to fix an arithmetic overflow occurring in a
pointer arithmetic context in ‘general_composite_rect’, as explained at:

  https://bugs.freedesktop.org/show_bug.cgi?id=92027#c6

The bug can most likely lead to a crash.

In a preliminary review, Siarhei Siamashka notes that ‘width + 1’ is
insufficient to take 16-byte alignment constraints into account.
Indeed, AFAICS, it is sufficient when Bpp == 16 but probably not when
Bpp == 4.

Siarhei also suggests that more rewriting in needed in that part of the
code, but I’ll leave that to you.  ;-)

Thanks,
Ludo’.

Fix  whereby
an arithemitic overflow could occur while doing pointer arithmetic,
leading pixman to use an invalid address as the destination buffer.

--- pixman-0.32.6/pixman/pixman-general.c	2015-09-21 15:14:34.695981325 +0200
+++ pixman-0.32.6/pixman/pixman-general.c	2015-09-21 15:19:48.898355548 +0200
@@ -144,8 +144,7 @@ general_composite_rect  (pixman_implemen
 mask_buffer = ALIGN (src_buffer + width * Bpp);
 dest_buffer = ALIGN (mask_buffer + width * Bpp);
 
-if (ALIGN (dest_buffer + width * Bpp) >
-	scanline_buffer + sizeof (stack_scanline_buffer))
+if ((width + 1) * Bpp * 3 > sizeof (stack_scanline_buffer))
 {
 	scanline_buffer = pixman_malloc_ab_plus_c (width, Bpp * 3, 32 * 3);
___
Pixman mailing list
Pixman@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/pixman