Package: xli
Version: 1.17.0+20061110-4+b2
Severity: important
Hi
I have stumbled upon another bug in xli. Actually quite similar to
274310 that I reported in 2004, and that was fixed later that year.
I originally reproduced this with an image I cannot share, but I
found out that I can reproduce the same crash using the following
command:
echo -e "P6\n1 1\n255\n\0377\0377\0377" | pnmscale -width=147594
-height=2 > test.pnm
valgrind ./xli -dumpcore ./test.pnm
When the window pops up, focus it and press < to zoom out.
The valgrind log looks like this:
./test.pnm is a 147594x2 Raw PPM image with 256 levels
Default gamma for ITRUE image is 1.00
==10372== Conditional jump or move depends on uninitialised value(s)
==10372== at 0x8054885: processImage (misc.c:262)
==10372== by 0x804B596: main (xli.c:350)
==10372==
Building XImage...done
Have adjusted image from 1.00 to display gamma of 2.20
Image decoder scaling is now 1
./test.pnm is a 147594x2 Raw PPM image with 256 levels
Default gamma for ITRUE image is 1.00
Zooming image by 50%...73797
1
==10372==
==10372== Process terminating with default action of signal 8 (SIGFPE)
==10372== Integer divide by zero at address 0x62B6DDFA
==10372== at 0x806A9E3: buildIndex (zoom.c:25)
==10372== by 0x806AC36: zoom (zoom.c:87)
==10372== by 0x8054903: processImage (misc.c:159)
==10372== by 0x804B596: main (xli.c:350)
The first complaint about uninitialized data actually shows up before
trying to zoom out, so that looks like a second issue.
Looking into the source code and my dear old friend buildIndex()
I can quickly determine what the cause is, *rwidth == 1, which
causes a division by zero in the loop.
*rwidth = width * zoom / 100;
index= (unsigned int *)lmalloc(sizeof(unsigned int) * *rwidth);
for (a = 0; a < *rwidth; a++)
*(index + a) = a * (width - 1) / (*rwidth - 1);
I'm not sure how you guys want to fix this though. :)
/ Sebastian
