Hello,
I've found a buffer overflow problem in RSmoothScaleImage. There are
some scaling calculations involving floats which are finally converted
to integers. Since such conversion does not round the number, just
truncates the decimal part, sometimes the number is smaller than it
should be. As a result, smaller buffer is allocated for picture
scaling and thus buffer overflow occurs.
Strange thing is that this bug has not appeared earlier so it probably
has something to do with newer gcc or glibc (I switch from
"prehistoric" Fedora Core 5 to Fedora 12).
Martin
diff -rNu WindowMaker-0.92.0.orig/wrlib/scale.c WindowMaker-0.92.0.new/wrlib/scale.c
--- WindowMaker-0.92.0.orig/wrlib/scale.c 2004-10-12 23:11:25.000000000 +0200
+++ WindowMaker-0.92.0.new/wrlib/scale.c 2010-02-26 10:46:37.000000000 +0100
@@ -443,7 +443,7 @@
fscale = 1.0 / xscale;
for (i = 0; i < new_width; ++i) {
contrib[i].n = 0;
- contrib[i].p = (CONTRIB *)calloc((int)(width * 2 + 1),
+ contrib[i].p = (CONTRIB *)calloc((int) ceil(width * 2 + 1),
sizeof(CONTRIB));
center = (double) i / xscale;
left = ceil(center - width);
@@ -467,7 +467,7 @@
for(i = 0; i < new_width; ++i) {
contrib[i].n = 0;
- contrib[i].p = (CONTRIB *)calloc((int) (fwidth * 2 + 1),
+ contrib[i].p = (CONTRIB *)calloc((int) ceil(fwidth * 2 + 1),
sizeof(CONTRIB));
center = (double) i / xscale;
left = ceil(center - fwidth);
@@ -527,7 +527,7 @@
fscale = 1.0 / yscale;
for(i = 0; i < dst->height; ++i) {
contrib[i].n = 0;
- contrib[i].p = (CONTRIB *)calloc((int) (width * 2 + 1),
+ contrib[i].p = (CONTRIB *)calloc((int) ceil(width * 2 + 1),
sizeof(CONTRIB));
center = (double) i / yscale;
left = ceil(center - width);
@@ -550,7 +550,7 @@
} else {
for(i = 0; i < dst->height; ++i) {
contrib[i].n = 0;
- contrib[i].p = (CONTRIB *)calloc((int) (fwidth * 2 + 1),
+ contrib[i].p = (CONTRIB *)calloc((int) ceil(fwidth * 2 + 1),
sizeof(CONTRIB));
center = (double) i / yscale;
left = ceil(center - fwidth);
