Package: inkscape
Version: 0.91-5~bpo8+1
Severity: normal
Tags: upstream patch
Dear Mattia,
I open a new bug, since #838486 is rather different. The same idiom, however,
appears in the latest version of drawing-image.cpp. With the patch attached,
and some other patches in pixman (#838650) and cairo (#838648) i was able to
edit a large file, save a pdf copy of it, and view it with evince :-) I don't
know how epidemic the idiom is.
Best
Ale
-- System Information:
Debian Release: 8.6
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages inkscape depends on:
ii gconf-service 3.2.6-3
ii libaspell15 0.60.7~20110707-1.3
ii libatk1.0-0 2.14.0-1
ii libatkmm-1.6-1 2.22.7-2.1
ii libc6 2.19-18+deb8u6
ii libcairo2 1.14.0-2.1+deb8u1
ii libcairomm-1.0-1 1.10.0-1.1
ii libcdr-0.1-1 0.1.0-3
ii libexif12 0.6.21-2
ii libfontconfig1 2.11.0-6.3+deb8u1
ii libfreetype6 2.5.2-3+deb8u1
ii libgc1c2 1:7.2d-6.4
ii libgcc1 1:4.9.2-10
ii libgconf-2-4 3.2.6-3
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u5
ii libglib2.0-0 2.42.1-1+b1
ii libglibmm-2.4-1c2a 2.42.0-1
ii libgnomevfs2-0 1:2.24.4-6+b1
ii libgomp1 4.9.2-10
ii libgsl0ldbl 1.16+dfsg-2
ii libgtk2.0-0 2.24.25-3+deb8u1
ii libgtkmm-2.4-1c2a 1:2.24.4-1.1
ii libgtkspell0 2.0.16-1.1
ii libjpeg8 8d-1+deb7u1
ii liblcms2-2 2.6-3+b3
ii libmagick++-6.q16-5 8:6.8.9.9-5+deb8u4
ii libmagickcore-6.q16-2 8:6.8.9.9-5+deb8u4
ii libmagickwand-6.q16-2 8:6.8.9.9-5+deb8u4
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpangoft2-1.0-0 1.36.8-3
ii libpangomm-1.4-1 2.34.0-1.1
ii libpng12-0 1.2.50-2+deb8u2
ii libpoppler-glib8 0.26.5-2+deb8u1
ii libpoppler46 0.26.5-2+deb8u1
ii libpopt0 1.16-10
ii librevenge-0.0-0 0.0.1-3
ii libsigc++-2.0-0c2a 2.4.0-1
ii libstdc++6 4.9.2-10
ii libvisio-0.1-1 0.1.0-2
ii libwpg-0.3-3 0.3.0-3
ii libx11-6 2:1.6.2-3
ii libxml2 2.9.1+dfsg1-5+deb8u3
ii libxslt1.1 1.1.28-2+deb8u1
pn python:any <none>
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages inkscape recommends:
ii aspell 0.60.7~20110707-1.3
ii imagemagick 8:6.8.9.9-5+deb8u4
ii libgnomevfs2-extra 1:2.24.4-6+b1
ii libimage-magick-perl 8:6.8.9.9-5+deb8u4
ii libwmf-bin 0.2.8.4-10.3+deb8u1
ii pstoedit 3.62-2+b1
ii python-lxml 3.4.0-1
ii python-numpy 1:1.8.2-2
ii transfig 1:3.2.5.e-4
Versions of packages inkscape suggests:
ii dia 0.97.3-1
ii dia-gnome 0.97.3-1
ii libsvg-perl 2.59-1
ii libxml-xql-perl 0.68-6
ii python-uniconvertor 1.1.4-1+b2
ii ruby 1:2.1.5+deb8u2
ii ruby1.8 [ruby] 1.8.7.358-7.1+deb7u3
-- no debconf information
Description: rowstride should be size_t
it is wrong to compute offsets like so:
int rowstride = something;
char *buffer = base_ptr + y*rowstride + x*4;
That idiom fails in 64bit architectures where integers are 32 bit. Consider
for example an A0 poster at 600 dpi brings a 19860x28080 image. While width
and heights are 16 bit numbers, their product multiplied by a bpp of 4 results
in a negative integer.
Stride should be size_t, or, if it can be negative, long integer.
--- inkscape-0.91.orig/src/display/drawing-image.cpp
+++ inkscape-0.91/src/display/drawing-image.cpp
@@ -209,9 +209,9 @@ DrawingImage::_pickItem(Geom::Point cons
} else {
unsigned char *const pixels = _pixbuf->pixels();
- int width = _pixbuf->width();
- int height = _pixbuf->height();
- int rowstride = _pixbuf->rowstride();
+ unsigned width = _pixbuf->width();
+ unsigned height = _pixbuf->height();
+ unsigned rowstride = _pixbuf->rowstride();
Geom::Point tp = p * _ctm.inverse();
Geom::Rect r = bounds();
@@ -221,13 +221,13 @@ DrawingImage::_pickItem(Geom::Point cons
double vw = width * _scale[Geom::X];
double vh = height * _scale[Geom::Y];
- int ix = floor((tp[Geom::X] - _origin[Geom::X]) / vw * width);
- int iy = floor((tp[Geom::Y] - _origin[Geom::Y]) / vh * height);
+ unsigned ix = floor((tp[Geom::X] - _origin[Geom::X]) / vw * width);
+ unsigned iy = floor((tp[Geom::Y] - _origin[Geom::Y]) / vh * height);
- if ((ix < 0) || (iy < 0) || (ix >= width) || (iy >= height))
+ if ((ix >= width) || (iy >= height))
return NULL;
- unsigned char *pix_ptr = pixels + iy * rowstride + ix * 4;
+ unsigned char *pix_ptr = pixels + (unsigned long)iy * rowstride + ix * 4UL;
// pick if the image is less than 99% transparent
guint32 alpha = 0;
if (_pixbuf->pixelFormat() == Inkscape::Pixbuf::PF_CAIRO) {
