1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
Date: 2019-06-25
Initial Package Version: 0.92.4
Upstream Status: Applied
Origin: Upstream
Description: Fixes for out of bounds accesses in the fill bucket and text tools.
These issues are highlighted if -D_FORTIFY_SOURCE=2 is used (e.g. application
terminated when trying to use the fill tool).
commit 19225039b8667679c175e62f1faa29495b4ed547
Author: Nathan Lee <2431820-nathanal@users.noreply.gitlab.com>
Date: Fri Apr 26 00:30:04 2019 +1000
Add out of bound checks to fill bucket
Fixes https://gitlab.com/inkscape/inbox/issues/398
commit 37a5a0e7f1e0303222e6349379a6943c60f3b5b8
Author: Trevor Spiteri <trevor.spiteri@um.edu.mt>
Date: Tue Jan 15 18:57:17 2019 +0100
out-of-bounds access on Enter in new text field
https://bugzilla.redhat.com/show_bug.cgi?id=1575842
Reproduce using:
1. Select text tool (F8)
2. Click on empty canvas
3. Hit Enter
commit 6b8b86ca248cc47128ee3646d7ce17d2c0720522
Author: Trevor Spiteri <trevor.spiteri@um.edu.mt>
Date: Tue Jan 15 18:57:56 2019 +0100
out-of-bounds access on clicking at end of text field
https://bugzilla.redhat.com/show_bug.cgi?id=1608371
https://bugs.launchpad.net/inkscape/+bug/1803553
Reproduce using:
1. Select text tool (F8)
2. Click on empty canvas
3. Type "abc"
4. Click somewhere else
5. Click in first text field after "c" in "abc"
diff -Naur a/src/libnrtype/Layout-TNG-OutIter.cpp b/src/libnrtype/Layout-TNG-OutIter.cpp
--- a/src/libnrtype/Layout-TNG-OutIter.cpp 2019-01-15 04:29:27.000000000 +0000
+++ b/src/libnrtype/Layout-TNG-OutIter.cpp 2019-06-25 18:55:33.680796467 +0100
@@ -46,7 +46,10 @@
best_x_difference = this_x_difference;
}
}
- if (best_char_index == -1) return iterator(this, char_index);
+ if (best_char_index == -1)
+ best_char_index = char_index;
+ if (best_char_index == _characters.size())
+ return end();
return iterator(this, best_char_index);
}
@@ -182,6 +185,8 @@
if (_input_stream[source_index]->Type() != TEXT_SOURCE)
return iterator(this, char_index);
+ if (char_index >= _characters.size())
+ return end();
return iterator(this, char_index);
/* This code was never used, the text_iterator argument was "NULL" in all calling code
InputStreamTextSource const *text_source = static_cast<InputStreamTextSource const *>(_input_stream[source_index]);
diff -Naur a/src/ui/tools/flood-tool.cpp b/src/ui/tools/flood-tool.cpp
--- a/src/ui/tools/flood-tool.cpp 2019-01-15 04:29:27.000000000 +0000
+++ b/src/ui/tools/flood-tool.cpp 2019-06-25 18:55:14.064888807 +0100
@@ -630,7 +630,7 @@
bool can_paint_top = (top_ty > 0);
bool can_paint_bottom = (bottom_ty < bci.height);
- Geom::Point t = fill_queue->front();
+ Geom::Point front_of_queue = fill_queue->empty() ? Geom::Point() : fill_queue->front();
do {
ok = false;
@@ -648,8 +648,11 @@
paint_directions = paint_pixel(px, trace_px, orig_color, bci, current_trace_t);
if (bci.radius == 0) {
mark_pixel_checked(current_trace_t);
- if ((t[Geom::X] == bci.x) && (t[Geom::Y] == bci.y)) {
- fill_queue->pop_front(); t = fill_queue->front();
+ if ((!fill_queue->empty()) &&
+ (front_of_queue[Geom::X] == bci.x) &&
+ (front_of_queue[Geom::Y] == bci.y)) {
+ fill_queue->pop_front();
+ front_of_queue = fill_queue->empty() ? Geom::Point() : fill_queue->front();
}
}
|
