procyberian/gimp
2
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/gimp.git synced 2025-07-04 01:43:24 +00:00
Code Issues 1 Projects 1 Releases Packages Wiki Activity Actions

app: fix global-buffer-overflow in "gimp:dissolve" implementation.

Browse source 
In case of negative y in the region to process, we were accessing invalid memory
(negative array index).

I hesitated between make so that a given ordinate always use the same index or
if we just want the start ordinate (whatever it is) to use index 0. The later
could have just been `(y - result->y) % RANDOM_TABLE_SIZE`.

I just decided to keep the existing logic (former case) though to be fair, not
sure it matters much.

(cherry picked from commit a86560bb57)
This commit is contained in:
Jehan 2023-02-16 16:40:47 +01:00
parent 31672ee340
commit 7f29543895
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
app/operations/layer-modes/gimpoperationdissolve.c
View file

@ -101,7 +101,14 @@ gimp_operation_dissolve_process (GeglOperation *op,
for (y = result->y; y < result->y + result->height; y++) for (y = result->y; y < result->y + result->height; y++)
{ {
GRand *gr = g_rand_new_with_seed (random_table[y % RANDOM_TABLE_SIZE]); GRand *gr;
/* The offset can be negative. I could just abs() the result, but we
* probably prefer to use different indexes of the table when possible for
* nicer randomization, so let's cycle the modulo so that -1 is the last
* table index.
*/
gr = g_rand_new_with_seed (random_table[((y % RANDOM_TABLE_SIZE) + RANDOM_TABLE_SIZE) % RANDOM_TABLE_SIZE]);
/* fast forward through the rows pseudo random sequence */ /* fast forward through the rows pseudo random sequence */
for (x = 0; x < result->x; x++) for (x = 0; x < result->x; x++)