From kde-core-devel  Fri Apr 07 17:35:35 2006
From: Stefan Teleman <steleman () nyc ! rr ! com>
Date: Fri, 07 Apr 2006 17:35:35 +0000
To: kde-core-devel
Subject: Re: Suspicous code in kdelibs-3.5.2
Message-Id: <200604071335.35954.steleman () nyc ! rr ! com>
X-MARC-Message: https://marc.info/?l=kde-core-devel&m=114443140523581
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--Boundary-00=_nLqNExW0NjcI/g0"

--Boundary-00=_nLqNExW0NjcI/g0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Thursday 06 April 2006 13:24, Stefan Teleman wrote:
> On Thursday 06 April 2006 10:18, Dirk Mueller wrote:
> > What is actually missing is somebody fixing the array overrun,

My patch from yesterday was wrong.

Here's the correct patch and test case.

Sorry for the confusion.

--Stefan

-- 
Stefan Teleman          'Nobody Expects the Spanish Inquisition'
steleman@nyc.rr.com                          -Monty Python

--Boundary-00=_nLqNExW0NjcI/g0
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="kpixmap.cpp.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="kpixmap.cpp.diff"

--- kpixmap.cpp.kde.orig	2005-05-23 08:15:42.000000000 -0400
+++ kpixmap.cpp	2006-04-07 13:22:37.313673000 -0400
@@ -38,35 +38,55 @@
     uchar  *b;
     int	    y;
 	
-    if ( !dst->create(src->width(), src->height(), 8, 256) ) {
+    if ( !dst->create(src->width(), src->height(), 8, 256) )
+    {
 	qWarning("KPixmap: destination image not valid\n");
 	return false;
     }
 
     int ncols = 256;
 
-    static uint bm[16][16];
-    static int init=0;
-    if (!init) {
+    static unsigned int* bm = 0L;
+    static const unsigned int maxindex = 16;
+    static bool init = false;
+    if (!init)
+    {
+	    unsigned int n, i, j;
+	    if (0L == bm)
+	    {
+            bm = (unsigned int*) ::malloc(size_t(maxindex * sizeof(unsigned int*)) * size_t(maxindex * sizeof(unsigned int)));
+	        for (i = 0; i < maxindex; i++)
+            {
+                for (j = 0; j < maxindex; j++)
+                {
+                    *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) = 0;
+                }
+            }
+        }
 
 	// Build a Bayer Matrix for dithering
-	init = 1;
-	int n, i, j;
-
-	bm[0][0]=0;
-
-	for (n=1; n<16; n*=2)
+	    for (n = 1; n < maxindex; n *= 2)
+	    {
 	    for (i=0; i<n; i++)
-		for (j=0; j<n; j++) {
-		    bm[i][j]*=4;
-		    bm[i+n][j]=bm[i][j]+2;
-		    bm[i][j+n]=bm[i][j]+3;
-		    bm[i+n][j+n]=bm[i][j]+1;
+	        {
+		        for (j = 0; j < n; j++)
+		        {
+                    *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) *= 4;
+                    *((bm + (i + n) * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) = *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) + 2;
+                    *((bm + i * maxindex * sizeof(unsigned int*)) + (j + n) * sizeof(unsigned int)) = *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) + 3;
+                    *((bm + (i + n) * maxindex * sizeof(unsigned int*)) + ((j + n) * sizeof(unsigned int))) = *((bm + i * maxindex * sizeof(unsigned int*)) + (j * sizeof(unsigned int))) + 1;
+		        }
+	        }
 		}
 
-	for (i=0; i<16; i++)
-	    for (j=0; j<16; j++)
-		bm[i][j]<<=8;
+	    for (i = 0; i < maxindex; i++)
+	    {
+	        for (j = 0; j < maxindex; j++)
+	        {
+                *((bm + (i * maxindex * sizeof(unsigned int*))) + (j * sizeof(unsigned int))) <<= 8;
+	        }
+	    }
+        init = true;
     }
 
     dst->setNumColors( ncols );
@@ -413,3 +433,5 @@
     : QPixmap(p)
 {
 }
+
+// vim: ts=4 sw=4 et

--Boundary-00=_nLqNExW0NjcI/g0
Content-Type: text/x-c++src;
  charset="iso-8859-1";
  name="testkdearray.cc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="testkdearray.cc"

#include <iostream>
#include <iomanip>
using namespace std;

static void printMatrix(unsigned int* const x);
static const unsigned int maxindex = 16;
static unsigned int* bm = 0L;

int
main(int argc, char* argv[])
{
  unsigned int i, j, n;
  bm = (unsigned int*) ::malloc(size_t(maxindex * sizeof(unsigned int*)) * size_t(maxindex * sizeof(unsigned int)));

  for (i = 0; i < maxindex; i++)
  {
    for (j = 0; j < maxindex; j++)
    {
      *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) = 0;
    }
  }

  for (n = 1; n < maxindex; n *= 2)
  {
    for (i = 0; i < n; i++)
    {
      for (j = 0; j < n; j++)
      {
        *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) *= 4;
        *((bm + (i + n) * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) = *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) + 2;
        *((bm + i * maxindex * sizeof(unsigned int*)) + (j + n) * sizeof(unsigned int)) = *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) + 3;
        *((bm + (i + n) * maxindex * sizeof(unsigned int*)) + ((j + n) * sizeof(unsigned int))) = *((bm + i * maxindex * sizeof(unsigned int*)) + (j * sizeof(unsigned int))) + 1;
      }
    }
  }

  for (i = 0; i < maxindex; i++)
  {
    for (j = 0; j < maxindex; j++)
    {
      *((bm + (i * maxindex * sizeof(unsigned int*))) + (j * sizeof(unsigned int))) <<= 8;
    }
  }

  printMatrix(bm);
  return 0;
}

void
printMatrix(unsigned int* const x)
{
  unsigned int i, j;
  std::cerr << "unsigned int x[" << maxindex << "][" << maxindex << "] = {" << endl;

  for (i = 0; i < maxindex; i++)
  {
    if (i > 0)
      std::cerr << "," << endl;

    std::cerr << " {";

    for (j = 0; j < maxindex; j++)
    {
      if (j > 0)
        std::cerr << ", ";

      std::cerr << setw(6) << *(x + i * maxindex * sizeof(unsigned int*) + j * sizeof(unsigned int));
    }
    std::cerr << " }";
  }
  std::cerr << endl << "};" << endl;
}

// vim: ts=2 sw=2 et

--Boundary-00=_nLqNExW0NjcI/g0--