smoke: fix valgrind invalid read errors

Submitted by Frank Binns on Oct. 28, 2014, 10:50 a.m.

Details

Message ID 1414493418-17975-1-git-send-email-frank.binns@imgtec.com
State Accepted
Commit 77f7daca681f0b90457fa7a67ad5de72a3d83a75
Headers show

Not browsing as part of any series.

Commit Message

Frank Binns Oct. 28, 2014, 10:50 a.m.
There are a number of invalid read errors reported by valgrind of the
form:
	==13428== Invalid read of size 4
        ==13428==    at 0x405656: advect (smoke.c:116)
        ==13428==    by 0x405E80: redraw_handler (smoke.c:228)
        ==13428==    by 0x40DE74: widget_redraw (window.c:3995)
        ==13428==    by 0x40E02D: surface_redraw (window.c:4053)
        ==13428==    by 0x40E0C9: idle_redraw (window.c:4082)
        ==13428==    by 0x410FC9: display_run (window.c:5561)
        ==13428==    by 0x406518: main (smoke.c:373)
        ==13428==  Address 0xb2c9b14 is 4 bytes after a block of size
                   160,000 alloc'd
        ==13428==    at 0x4C29DB4: calloc
        ==13428==    by 0x40646B: main (smoke.c:360)

This results in invalid rendering when running a debug version of the
application.

Fix the issue by limiting the maximum values of px and py to 1.5 less
than width and height. This prevents reading past the end of the source
buffer.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=82287
Signed-off-by: Frank Binns <frank.binns@imgtec.com>
---
 clients/smoke.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Patch hide | download patch | download mbox

diff --git a/clients/smoke.c b/clients/smoke.c
index 65b6e03..245e226 100644
--- a/clients/smoke.c
+++ b/clients/smoke.c
@@ -88,10 +88,10 @@  static void advect(struct smoke *smoke, uint32_t time,
 				px = 0.5;
 			if (py < 0.5)
 				py = 0.5;
-			if (px > smoke->width - 0.5)
-				px = smoke->width - 0.5;
-			if (py > smoke->height - 0.5)
-				py = smoke->height - 0.5;
+			if (px > smoke->width - 1.5)
+				px = smoke->width - 1.5;
+			if (py > smoke->height - 1.5)
+				py = smoke->height - 1.5;
 			i = (int) px;
 			j = (int) py;
 			fx = px - i;

Comments

On Tue, 28 Oct 2014 10:50:18 +0000
Frank Binns <frank.binns@imgtec.com> wrote:

> There are a number of invalid read errors reported by valgrind of the
> form:
> 	==13428== Invalid read of size 4
>         ==13428==    at 0x405656: advect (smoke.c:116)
>         ==13428==    by 0x405E80: redraw_handler (smoke.c:228)
>         ==13428==    by 0x40DE74: widget_redraw (window.c:3995)
>         ==13428==    by 0x40E02D: surface_redraw (window.c:4053)
>         ==13428==    by 0x40E0C9: idle_redraw (window.c:4082)
>         ==13428==    by 0x410FC9: display_run (window.c:5561)
>         ==13428==    by 0x406518: main (smoke.c:373)
>         ==13428==  Address 0xb2c9b14 is 4 bytes after a block of size
>                    160,000 alloc'd
>         ==13428==    at 0x4C29DB4: calloc
>         ==13428==    by 0x40646B: main (smoke.c:360)
> 
> This results in invalid rendering when running a debug version of the
> application.
> 
> Fix the issue by limiting the maximum values of px and py to 1.5 less
> than width and height. This prevents reading past the end of the source
> buffer.
> 
> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=82287
> Signed-off-by: Frank Binns <frank.binns@imgtec.com>
> ---
>  clients/smoke.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/clients/smoke.c b/clients/smoke.c
> index 65b6e03..245e226 100644
> --- a/clients/smoke.c
> +++ b/clients/smoke.c
> @@ -88,10 +88,10 @@ static void advect(struct smoke *smoke, uint32_t time,
>  				px = 0.5;
>  			if (py < 0.5)
>  				py = 0.5;
> -			if (px > smoke->width - 0.5)
> -				px = smoke->width - 0.5;
> -			if (py > smoke->height - 0.5)
> -				py = smoke->height - 0.5;
> +			if (px > smoke->width - 1.5)
> +				px = smoke->width - 1.5;
> +			if (py > smoke->height - 1.5)
> +				py = smoke->height - 1.5;
>  			i = (int) px;
>  			j = (int) py;
>  			fx = px - i;

Looks good to me, pushed.


Thanks,
pq