<div dir="ltr"><div>Sure. The extra width check can't harm.<br><br><br></div>Søren<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 21, 2015 at 10:10 PM, Siarhei Siamashka <span dir="ltr"><<a href="mailto:siarhei.siamashka@gmail.com" target="_blank">siarhei.siamashka@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, 21 Sep 2015 16:43:46 -0400<br>
Søren Sandmann <<a href="mailto:soren.sandmann@gmail.com">soren.sandmann@gmail.com</a>> wrote:<br>
<br>
> Regardless of who ends up listed as the patch author, this is<br>
><br>
> Reviewed-by: <a href="mailto:soren.sandmann@gmail.com">soren.sandmann@gmail.com</a><br>
><br>
> Søren<br>
<br>
</span>Thanks! Is your Reviewed-by still valid after adding an extra<br>
"width <= 0" check to the patch?<br>
<br>
Best regards,<br>
Siarhei Siamashka<br>
<div class="HOEnZb"><div class="h5"><br>
> On Sep 21, 2015 3:07 PM, "Siarhei Siamashka" <<a href="mailto:siarhei.siamashka@gmail.com">siarhei.siamashka@gmail.com</a>><br>
> wrote:<br>
><br>
> > On Mon, 21 Sep 2015 17:10:36 +0200<br>
> > <a href="mailto:ludo@gnu.org">ludo@gnu.org</a> (Ludovic Courtès) wrote:<br>
> ><br>
> > > Hello,<br>
> > ><br>
> > > The patch below intends to fix an arithmetic overflow occurring in a<br>
> > > pointer arithmetic context in ‘general_composite_rect’, as explained at:<br>
> > ><br>
> > > <a href="https://bugs.freedesktop.org/show_bug.cgi?id=92027#c6" rel="noreferrer" target="_blank">https://bugs.freedesktop.org/show_bug.cgi?id=92027#c6</a><br>
> ><br>
> > Sorry, I forgot to mention<br>
> > <a href="http://cgit.freedesktop.org/pixman/tree/README?id=pixman-0.33.2#n46" rel="noreferrer" target="_blank">http://cgit.freedesktop.org/pixman/tree/README?id=pixman-0.33.2#n46</a><br>
> ><br>
> > We would also need a commit message for the patch. So it normally<br>
> > should be created with "git format-patch" command and sent to the<br>
> > mailing list using "git send-email".<br>
> ><br>
> > > The bug can most likely lead to a crash.<br>
> ><br>
> > Yes, I can confirm that the bug is reproducible on my x86-64 system:<br>
> ><br>
> > export CFLAGS="-O2 -m32" && ./autogen.sh<br>
> > ./configure --disable-libpng --disable-gtk && make<br>
> > setarch i686 -R test/stress-test<br>
> ><br>
> > > In a preliminary review, Siarhei Siamashka notes that ‘width + 1’ is<br>
> > > insufficient to take 16-byte alignment constraints into account.<br>
> > > Indeed, AFAICS, it is sufficient when Bpp == 16 but probably not when<br>
> > > Bpp == 4.<br>
> > ><br>
> > > Siarhei also suggests that more rewriting in needed in that part of the<br>
> > > code, but I’ll leave that to you. ;-)<br>
> ><br>
> > Basically, I would probably do it in the following way:<br>
> ><br>
> ><br>
> > diff --git a/pixman/pixman-general.c b/pixman/pixman-general.c<br>
> > index 7cdea29..5ffa063 100644<br>
> > --- a/pixman/pixman-general.c<br>
> > +++ b/pixman/pixman-general.c<br>
> > @@ -155,23 +155,21 @@ general_composite_rect (pixman_implementation_t<br>
> > *imp, #define<br>
> > ALIGN(addr) \<br>
> > ((uint8_t *)((((uintptr_t)(addr)) + 15) & (~15)))<br>
> > - src_buffer = ALIGN (scanline_buffer);<br>
> > - mask_buffer = ALIGN (src_buffer + width * Bpp);<br>
> > - dest_buffer = ALIGN (mask_buffer + width * Bpp);<br>
> > + if (_pixman_multiply_overflows_int (width, Bpp * 3))<br>
> > + return;<br>
> ><br>
> > - if (ALIGN (dest_buffer + width * Bpp) ><br>
> > - scanline_buffer + sizeof (stack_scanline_buffer))<br>
> > + if (width * Bpp * 3 > sizeof (stack_scanline_buffer) - 32 * 3)<br>
> > {<br>
> > scanline_buffer = pixman_malloc_ab_plus_c (width, Bpp * 3, 32<br>
> > * 3);<br>
> > if (!scanline_buffer)<br>
> > return;<br>
> > -<br>
> > - src_buffer = ALIGN (scanline_buffer);<br>
> > - mask_buffer = ALIGN (src_buffer + width * Bpp);<br>
> > - dest_buffer = ALIGN (mask_buffer + width * Bpp);<br>
> > }<br>
> ><br>
> > + src_buffer = ALIGN (scanline_buffer);<br>
> > + mask_buffer = ALIGN (src_buffer + width * Bpp);<br>
> > + dest_buffer = ALIGN (mask_buffer + width * Bpp);<br>
> > +<br>
> > if (width_flag == ITER_WIDE)<br>
> > {<br>
> > /* To make sure there aren't any NANs in the buffers */<br>
> ><br>
> ><br>
> ><br>
> > This bug is your find and you should get credit for it :-)<br>
> > Please let me know if you:<br>
> > 1. are going to send an updated patch yourself.<br>
> > 2. want me to do this on your behalf (listing you as the patch author).<br>
> > 3. want me to submit a patch myself (listing you as the bug reporter).<br>
> ><br>
> ><br>
> > Also this is an important bugfix for a non-obvious problem, which can<br>
> > be really a PITA to debug. I would nominate it for a pixman-0.32.8<br>
> > bugfix release.<br>
</div></div></blockquote></div><br></div>