Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6255663

xyjBuffer overflow in dcLLFillerS.c

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: P4
    • Resolution: Unresolved
    • Affects Version/s: 1.4.2
    • Fix Version/s: None
    • Component/s: client-libs
    • Labels:
    • Subcomponent:
      2d
    • Understanding:
      Cause Known
    • Introduced In Version:
    • CPU:
      generic
    • OS:
      other

      Description

      HP observes an xyjBuffer overflow in dcLLFillerS.c when debugging customer application.

      Please see file dcLLFillerS.c, method appendArc3 :

      In the failure case , at the start of the method appendArc3 , the following
      are values of variour variables.
       
      steps=1 : diam=2 : p->xyjN=252 : x1=8 : y1=11 :x2=9 : y2=9 : x3=11 : y3=8 :
      p->x0=8 : p->y0=13 i= 252

          The maximum limit for p->xyjN (i) should be 256 . But in the failure
      case , the value of "i" goes to 258 . This happened when the following code
      gets executed.

      Before line 564 , value of "i" is 252. & it falls in the following if loop.
      & get incremented to 258. which exceeds the buffer size by 2. So the
      overflow happens.
      Value of "i" needs to be checked before filling xyjBuffer .

         564 if (diam < oneU) { /* special case: very short cubic */
         565 if (x01 != 0 || y01 != 0) {
         566 p->xyjBuffer[i++] = (i8)x01;
         567 p->xyjBuffer[i++] = (i8)y01;
         568 }
         569 if (x12 != 0 || y12 != 0) {
         570 p->xyjBuffer[i++] = (i8)x12;
         571 p->xyjBuffer[i++] = (i8)y12;
         572 }
         573 if (x23 != 0 || y23 != 0) {
         574 p->xyjBuffer[i++] = (i8)x23;
         575 p->xyjBuffer[i++] = (i8)y23;
         576 }
         577 } else { /* trace the cubic */
         578 int d0x, d1x, d2x, d3x;

      Unfortunately, there's no test case demonstrating the problem.
      ###@###.### 2005-04-14 23:34:14 GMT

        Attachments

          Activity

            People

            Assignee:
            avu Alexey Ushakov
            Reporter:
            ksoshals Kirill Soshalskiy (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Imported:
              Indexed: