'Re: Suspicous code in kdelibs-3.5.2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Suspicous code in kdelibs-3.5.2
From:       Stefan Teleman <steleman () nyc ! rr ! com>
Date:       2006-04-07 17:35:35
Message-ID: 200604071335.35954.steleman () nyc ! rr ! com
[Download RAW message or body]

On Thursday 06 April 2006 13:24, Stefan Teleman wrote:
> On Thursday 06 April 2006 10:18, Dirk Mueller wrote:
> > What is actually missing is somebody fixing the array overrun,

My patch from yesterday was wrong.

Here's the correct patch and test case.

Sorry for the confusion.

--Stefan

-- 
Stefan Teleman          'Nobody Expects the Spanish Inquisition'
steleman@nyc.rr.com                          -Monty Python

["kpixmap.cpp.diff" (text/x-diff)]

--- kpixmap.cpp.kde.orig	2005-05-23 08:15:42.000000000 -0400
+++ kpixmap.cpp	2006-04-07 13:22:37.313673000 -0400
@@ -38,35 +38,55 @@
     uchar  *b;
     int	    y;
 	
-    if ( !dst->create(src->width(), src->height(), 8, 256) ) {
+    if ( !dst->create(src->width(), src->height(), 8, 256) )
+    {
 	qWarning("KPixmap: destination image not valid\n");
 	return false;
     }
 
     int ncols = 256;
 
-    static uint bm[16][16];
-    static int init=0;
-    if (!init) {
+    static unsigned int* bm = 0L;
+    static const unsigned int maxindex = 16;
+    static bool init = false;
+    if (!init)
+    {
+	    unsigned int n, i, j;
+	    if (0L == bm)
+	    {
+            bm = (unsigned int*) ::malloc(size_t(maxindex * sizeof(unsigned int*)) * \
size_t(maxindex * sizeof(unsigned int))); +	        for (i = 0; i < maxindex; i++)
+            {
+                for (j = 0; j < maxindex; j++)
+                {
+                    *((bm + i * maxindex * sizeof(unsigned int*)) + j * \
sizeof(unsigned int)) = 0; +                }
+            }
+        }
 
 	// Build a Bayer Matrix for dithering
-	init = 1;
-	int n, i, j;
-
-	bm[0][0]=0;
-
-	for (n=1; n<16; n*=2)
+	    for (n = 1; n < maxindex; n *= 2)
+	    {
 	    for (i=0; i<n; i++)
-		for (j=0; j<n; j++) {
-		    bm[i][j]*=4;
-		    bm[i+n][j]=bm[i][j]+2;
-		    bm[i][j+n]=bm[i][j]+3;
-		    bm[i+n][j+n]=bm[i][j]+1;
+	        {
+		        for (j = 0; j < n; j++)
+		        {
+                    *((bm + i * maxindex * sizeof(unsigned int*)) + j * \
sizeof(unsigned int)) *= 4; +                    *((bm + (i + n) * maxindex * \
sizeof(unsigned int*)) + j * sizeof(unsigned int)) = *((bm + i * maxindex * \
sizeof(unsigned int*)) + j * sizeof(unsigned int)) + 2; +                    *((bm + \
i * maxindex * sizeof(unsigned int*)) + (j + n) * sizeof(unsigned int)) = *((bm + i * \
maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) + 3; +                  \
*((bm + (i + n) * maxindex * sizeof(unsigned int*)) + ((j + n) * sizeof(unsigned \
int))) = *((bm + i * maxindex * sizeof(unsigned int*)) + (j * sizeof(unsigned int))) \
+ 1; +		        }
+	        }
 		}
 
-	for (i=0; i<16; i++)
-	    for (j=0; j<16; j++)
-		bm[i][j]<<=8;
+	    for (i = 0; i < maxindex; i++)
+	    {
+	        for (j = 0; j < maxindex; j++)
+	        {
+                *((bm + (i * maxindex * sizeof(unsigned int*))) + (j * \
sizeof(unsigned int))) <<= 8; +	        }
+	    }
+        init = true;
     }
 
     dst->setNumColors( ncols );
@@ -413,3 +433,5 @@
     : QPixmap(p)
 {
 }
+
+// vim: ts=4 sw=4 et


["testkdearray.cc" (text/x-c++src)]

#include <iostream>
#include <iomanip>
using namespace std;

static void printMatrix(unsigned int* const x);
static const unsigned int maxindex = 16;
static unsigned int* bm = 0L;

int
main(int argc, char* argv[])
{
  unsigned int i, j, n;
  bm = (unsigned int*) ::malloc(size_t(maxindex * sizeof(unsigned int*)) * \
size_t(maxindex * sizeof(unsigned int)));

  for (i = 0; i < maxindex; i++)
  {
    for (j = 0; j < maxindex; j++)
    {
      *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) = 0;
    }
  }

  for (n = 1; n < maxindex; n *= 2)
  {
    for (i = 0; i < n; i++)
    {
      for (j = 0; j < n; j++)
      {
        *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) *= \
                4;
        *((bm + (i + n) * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned \
int)) = *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) + \
                2;
        *((bm + i * maxindex * sizeof(unsigned int*)) + (j + n) * sizeof(unsigned \
int)) = *((bm + i * maxindex * sizeof(unsigned int*)) + j * sizeof(unsigned int)) + \
                3;
        *((bm + (i + n) * maxindex * sizeof(unsigned int*)) + ((j + n) * \
sizeof(unsigned int))) = *((bm + i * maxindex * sizeof(unsigned int*)) + (j * \
sizeof(unsigned int))) + 1;  }
    }
  }

  for (i = 0; i < maxindex; i++)
  {
    for (j = 0; j < maxindex; j++)
    {
      *((bm + (i * maxindex * sizeof(unsigned int*))) + (j * sizeof(unsigned int))) \
<<= 8;  }
  }

  printMatrix(bm);
  return 0;
}

void
printMatrix(unsigned int* const x)
{
  unsigned int i, j;
  std::cerr << "unsigned int x[" << maxindex << "][" << maxindex << "] = {" << endl;

  for (i = 0; i < maxindex; i++)
  {
    if (i > 0)
      std::cerr << "," << endl;

    std::cerr << " {";

    for (j = 0; j < maxindex; j++)
    {
      if (j > 0)
        std::cerr << ", ";

      std::cerr << setw(6) << *(x + i * maxindex * sizeof(unsigned int*) + j * \
sizeof(unsigned int));  }
    std::cerr << " }";
  }
  std::cerr << endl << "};" << endl;
}

// vim: ts=2 sw=2 et



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic