control tags -1 patch upstream security
thanks
I tested against current jessie/sid versions, they are still affected.
Attached patch plugs SIGFPE, but probably produces incorrect images.
I'd like to note that this bug has minor security implications (DoS for
applications that issue draw command based on untrusted input).
Description: fix divide-by-zero on drawing 2x1 ellipse
Author: Yuriy M. Kaminskiy <yumkam+deb...@gmail.com>
Note: resulting images are probably incorrect; but SIGFPE is certainly worse.
Index: imlib2-1.4.6/src/lib/ellipse.c
===================================================================
--- imlib2-1.4.6.orig/src/lib/ellipse.c
+++ imlib2-1.4.6/src/lib/ellipse.c
@@ -54,6 +54,7 @@ __imlib_Ellipse_DrawToData(int xc, int y
{
prev_y = y;
dx -= a2;
+ if (dx == 0) break; /* FIXME likely incorrect */
ty++;
by--;
tp += dstw;
@@ -95,6 +96,9 @@ __imlib_Ellipse_DrawToData(int xc, int y
tp += dstw;
bp -= dstw;
+ if (dy == 0) /* FIXME likely incorrect */
+ return;
+
while (ty < yc)
{
int len;
@@ -185,6 +189,7 @@ __imlib_Ellipse_DrawToData_AA(int xc, in
{
prev_y = y;
dx -= a2;
+ if (dx == 0) break; /* FIXME likely incorrect */
ty++;
by--;
tp += dstw;
@@ -247,6 +252,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, in
tp += dstw;
bp -= dstw;
+ if (dy == 0) /* FIXME likely incorrect */
+ return;
+
while (ty < yc)
{
int len;
@@ -360,6 +368,7 @@ __imlib_Ellipse_FillToData(int xc, int y
{
prev_y = y;
dx -= a2;
+ if (dx == 0) break; /* FIXME likely incorrect */
ty++;
by--;
tp += dstw;
@@ -417,6 +426,9 @@ __imlib_Ellipse_FillToData(int xc, int y
tp += dstw;
bp -= dstw;
+ if (dy == 0) /* FIXME likely incorrect */
+ return;
+
while (ty < yc)
{
int len;
@@ -517,6 +529,7 @@ __imlib_Ellipse_FillToData_AA(int xc, in
{
prev_y = y;
dx -= a2;
+ if (dx == 0) break; /* FIXME likely incorrect */
ty++;
by--;
tp += dstw;
@@ -579,6 +592,9 @@ __imlib_Ellipse_FillToData_AA(int xc, in
tp += dstw;
bp -= dstw;
+ if (dy == 0) /* FIXME likely incorrect */
+ return;
+
while (ty < yc)
{
int len;
