mtasaka pushed to xscreensaver (f21). "providence:update_particles: aviod one byte ahead access"

notifications at fedoraproject.org notifications at fedoraproject.org
Sun Apr 19 13:31:12 UTC 2015 

>From 06a907378dbb3c2aa201088013a7e00c3c4cdc52 Mon Sep 17 00:00:00 2001
From: Mamoru TASAKA <mtasaka at fedoraproject.org>
Date: Sun, 19 Apr 2015 22:29:21 +0900
Subject: providence:update_particles: aviod one byte ahead access


diff --git a/xscreensaver-5.32-0010-providence-update_particles-aviod-one-byte-ahead-acc.patch b/xscreensaver-5.32-0010-providence-update_particles-aviod-one-byte-ahead-acc.patch
new file mode 100644
index 0000000..0a67c69
--- /dev/null
+++ b/xscreensaver-5.32-0010-providence-update_particles-aviod-one-byte-ahead-acc.patch
@@ -0,0 +1,80 @@
+From a55333c625e769fb845277a346a14f3949fb57ab Mon Sep 17 00:00:00 2001
+From: Mamoru TASAKA <mtasaka at fedoraproject.org>
+Date: Sun, 19 Apr 2015 22:11:06 +0900
+Subject: [PATCH] providence:update_particles: aviod one byte ahead access
+
+gcc (5.0.1) -fsanitize=address -fsanitize=undefined detected
+the following error:
+
+../../../hacks/glx/providence.c:458:43: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:457:50: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:472:43: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:471:50: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:491:43: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:490:50: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:504:43: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:503:50: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:558:44: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:557:51: runtime error: index 300 out of bounds for type 'double [300][2]'
+
+The line 458 says:
+   456    for(i = 0; i < EYE_PARTICLE_COUNT/2; ++i) {
+   457      glVertex3f(mp->lookup[mp->eyeparticles[i][0]][mp->eyeparticles[i][1]][0],
+   458                 mp->lookup[mp->eyeparticles[i][0]][mp->eyeparticles[i][1]][1],
+   459                 0.0);
+   460    }
+
+Note that lookup[] definition is at the line 105:
+    77  #define LOOKUPSIZE (3600/5)  /* 3600 was way too much RAM on iOS */
+    78  #define EYELENGTH 300
+
+    81  #define PARTICLE_COUNT 2000
+
+    85  typedef struct {
+   103    double particles[PARTICLE_COUNT][5];
+
+   104    int eyeparticles[EYE_PARTICLE_COUNT][2];
+   105    double lookup[LOOKUPSIZE][EYELENGTH][2];
+   106    double lookup2[LOOKUPSIZE][EYELENGTH][2];
+   107
+   108  } providencestruct;
+
+and the above runtime error implies that mp->eyeparticles[i][1] has the value 300,
+which causes one byte ahead access error.
+
+So investigating where mp->eyeparticles is set, the cause is below:
+   271    /* now update eye particles */
+   272    for(i = 0; i < EYE_PARTICLE_COUNT; ++i) {
+
+   274      int x = mp->eyeparticles[i][1] + random()%(cos(mp->theta) < 0.0 ? 8 : 16);
+   277      if(x > EYELENGTH || random()%(cos(mp->theta) < 0.0 ? 40 : 10) == 0) {
+
+   282      }
+   283      else {
+   284        mp->eyeparticles[i][1] = x;
+   285      }
+   286    }
+   287  }
+
+On the above line 284, x can be 300 (because the line 277 says
+"x > EYELENGTH"), which causes this error.
+---
+ hacks/glx/providence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hacks/glx/providence.c b/hacks/glx/providence.c
+index 3bd49b0..fcf8d31 100644
+--- a/hacks/glx/providence.c
++++ b/hacks/glx/providence.c
+@@ -274,7 +274,7 @@ static void update_particles(providencestruct *mp)
+     int x = mp->eyeparticles[i][1] + random()%(cos(mp->theta) < 0.0 ? 8 : 16);
+ 
+     /* reset if dead */
+-    if(x > EYELENGTH || random()%(cos(mp->theta) < 0.0 ? 40 : 10) == 0) {
++    if(x >= EYELENGTH || random()%(cos(mp->theta) < 0.0 ? 40 : 10) == 0) {
+ 
+ /*     if(x > EYELENGTH || (x > EYELENGTH/(2/3.0) && random()%7 == 0)) { */
+       mp->eyeparticles[i][0] = random()%LOOKUPSIZE;
+-- 
+2.3.5
+
diff --git a/xscreensaver.spec b/xscreensaver.spec
index fd8f796..21198c5 100644
--- a/xscreensaver.spec
+++ b/xscreensaver.spec
@@ -10,7 +10,7 @@
 %define split_getimage   1
 %endif
 
-%define fedora_rel    11.1
+%define fedora_rel    12
 
 %global use_clang_as_cc 0
 %global use_clang_analyze 0
@@ -99,6 +99,8 @@ Patch207:        xscreensaver-5.32-0007-utils-utf8wc.c-fix-Unicode-Combining-Dia
 Patch208:        xscreensaver-5.32-0008-pick_font_1-rescue-when-XftFontOpenXlfd-fails-correc.patch
 # pong: adjust paddle position again on new game (bug 1199713)
 Patch209:        xscreensaver-5.32-0009-pong-adjust-paddle-position-again-on-new-game.patch
+# providence:update_particles: aviod one byte ahead access
+Patch210:        xscreensaver-5.32-0010-providence-update_particles-aviod-one-byte-ahead-acc.patch
 #
 # Patches end
 Requires:        xscreensaver-base = %{epoch}:%{version}-%{release}
@@ -368,6 +370,7 @@ gzip -dc %{SOURCE50} > po/ja.po
 %__cat %PATCH207 | %__git am
 %__cat %PATCH208 | %__git am
 %__cat %PATCH209 | %__git am
+%__cat %PATCH210 | %__git am
 
 change_option(){
    set +x
@@ -1023,6 +1026,9 @@ exit 0
 %endif
 
 %changelog
+* Sun Apr 19 2015 Mamoru TASAKA <mtasaka at fedoraproject.org> - 1:5.32-12
+- providence:update_particles: aviod one byte ahead access
+
 * Mon Mar 23 2015 Mamoru TASAKA <mtasaka at fedoraproject.org>
 - Make it sure that perl interpreter is recognized
   as /usr/bin/perl
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/xscreensaver.git/commit/?h=f21&id=06a907378dbb3c2aa201088013a7e00c3c4cdc52

More information about the scm-commits mailing list