mtasaka pushed to xscreensaver (xscreensaver-5.32-12.fc23). "providence:update_particles: aviod one byte ahead access"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Apr 20 03:31:22 UTC 2015
>From 06a907378dbb3c2aa201088013a7e00c3c4cdc52 Mon Sep 17 00:00:00 2001
From: Mamoru TASAKA <mtasaka at fedoraproject.org>
Date: Sun, 19 Apr 2015 22:29:21 +0900
Subject: providence:update_particles: aviod one byte ahead access
diff --git a/xscreensaver-5.32-0010-providence-update_particles-aviod-one-byte-ahead-acc.patch b/xscreensaver-5.32-0010-providence-update_particles-aviod-one-byte-ahead-acc.patch
new file mode 100644
index 0000000..0a67c69
--- /dev/null
+++ b/xscreensaver-5.32-0010-providence-update_particles-aviod-one-byte-ahead-acc.patch
@@ -0,0 +1,80 @@
+From a55333c625e769fb845277a346a14f3949fb57ab Mon Sep 17 00:00:00 2001
+From: Mamoru TASAKA <mtasaka at fedoraproject.org>
+Date: Sun, 19 Apr 2015 22:11:06 +0900
+Subject: [PATCH] providence:update_particles: aviod one byte ahead access
+
+gcc (5.0.1) -fsanitize=address -fsanitize=undefined detected
+the following error:
+
+../../../hacks/glx/providence.c:458:43: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:457:50: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:472:43: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:471:50: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:491:43: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:490:50: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:504:43: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:503:50: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:558:44: runtime error: index 300 out of bounds for type 'double [300][2]'
+../../../hacks/glx/providence.c:557:51: runtime error: index 300 out of bounds for type 'double [300][2]'
+
+The line 458 says:
+ 456 for(i = 0; i < EYE_PARTICLE_COUNT/2; ++i) {
+ 457 glVertex3f(mp->lookup[mp->eyeparticles[i][0]][mp->eyeparticles[i][1]][0],
+ 458 mp->lookup[mp->eyeparticles[i][0]][mp->eyeparticles[i][1]][1],
+ 459 0.0);
+ 460 }
+
+Note that lookup[] definition is at the line 105:
+ 77 #define LOOKUPSIZE (3600/5) /* 3600 was way too much RAM on iOS */
+ 78 #define EYELENGTH 300
+
+ 81 #define PARTICLE_COUNT 2000
+
+ 85 typedef struct {
+ 103 double particles[PARTICLE_COUNT][5];
+
+ 104 int eyeparticles[EYE_PARTICLE_COUNT][2];
+ 105 double lookup[LOOKUPSIZE][EYELENGTH][2];
+ 106 double lookup2[LOOKUPSIZE][EYELENGTH][2];
+ 107
+ 108 } providencestruct;
+
+and the above runtime error implies that mp->eyeparticles[i][1] has the value 300,
+which causes one byte ahead access error.
+
+So investigating where mp->eyeparticles is set, the cause is below:
+ 271 /* now update eye particles */
+ 272 for(i = 0; i < EYE_PARTICLE_COUNT; ++i) {
+
+ 274 int x = mp->eyeparticles[i][1] + random()%(cos(mp->theta) < 0.0 ? 8 : 16);
+ 277 if(x > EYELENGTH || random()%(cos(mp->theta) < 0.0 ? 40 : 10) == 0) {
+
+ 282 }
+ 283 else {
+ 284 mp->eyeparticles[i][1] = x;
+ 285 }
+ 286 }
+ 287 }
+
+On the above line 284, x can be 300 (because the line 277 says
+"x > EYELENGTH"), which causes this error.
+---
+ hacks/glx/providence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hacks/glx/providence.c b/hacks/glx/providence.c
+index 3bd49b0..fcf8d31 100644
+--- a/hacks/glx/providence.c
++++ b/hacks/glx/providence.c
+@@ -274,7 +274,7 @@ static void update_particles(providencestruct *mp)
+ int x = mp->eyeparticles[i][1] + random()%(cos(mp->theta) < 0.0 ? 8 : 16);
+
+ /* reset if dead */
+- if(x > EYELENGTH || random()%(cos(mp->theta) < 0.0 ? 40 : 10) == 0) {
++ if(x >= EYELENGTH || random()%(cos(mp->theta) < 0.0 ? 40 : 10) == 0) {
+
+ /* if(x > EYELENGTH || (x > EYELENGTH/(2/3.0) && random()%7 == 0)) { */
+ mp->eyeparticles[i][0] = random()%LOOKUPSIZE;
+--
+2.3.5
+
diff --git a/xscreensaver.spec b/xscreensaver.spec
index fd8f796..21198c5 100644
--- a/xscreensaver.spec
+++ b/xscreensaver.spec
@@ -10,7 +10,7 @@
%define split_getimage 1
%endif
-%define fedora_rel 11.1
+%define fedora_rel 12
%global use_clang_as_cc 0
%global use_clang_analyze 0
@@ -99,6 +99,8 @@ Patch207: xscreensaver-5.32-0007-utils-utf8wc.c-fix-Unicode-Combining-Dia
Patch208: xscreensaver-5.32-0008-pick_font_1-rescue-when-XftFontOpenXlfd-fails-correc.patch
# pong: adjust paddle position again on new game (bug 1199713)
Patch209: xscreensaver-5.32-0009-pong-adjust-paddle-position-again-on-new-game.patch
+# providence:update_particles: aviod one byte ahead access
+Patch210: xscreensaver-5.32-0010-providence-update_particles-aviod-one-byte-ahead-acc.patch
#
# Patches end
Requires: xscreensaver-base = %{epoch}:%{version}-%{release}
@@ -368,6 +370,7 @@ gzip -dc %{SOURCE50} > po/ja.po
%__cat %PATCH207 | %__git am
%__cat %PATCH208 | %__git am
%__cat %PATCH209 | %__git am
+%__cat %PATCH210 | %__git am
change_option(){
set +x
@@ -1023,6 +1026,9 @@ exit 0
%endif
%changelog
+* Sun Apr 19 2015 Mamoru TASAKA <mtasaka at fedoraproject.org> - 1:5.32-12
+- providence:update_particles: aviod one byte ahead access
+
* Mon Mar 23 2015 Mamoru TASAKA <mtasaka at fedoraproject.org>
- Make it sure that perl interpreter is recognized
as /usr/bin/perl
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/xscreensaver.git/commit/?h=xscreensaver-5.32-12.fc23&id=06a907378dbb3c2aa201088013a7e00c3c4cdc52
More information about the scm-commits
mailing list