gui/SOURCES/xscreensaver-5.39-0002-crum...

From 58f4a6f93b10d3ba65d9d62f128a30ffba2de72e Mon Sep 17 00:00:00 2001
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
Date: Sun, 15 Apr 2018 15:12:11 +0900
Subject: [PATCH] crumbler: fix color overvalue when accessing colors array

gcc8 -fsanitize=address detects the following error:

==30292==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900003b8b8 at pc 0x00000040b27a bp 0x7fff47820090 sp 0x7fff47820080
READ of size 2 at 0x62900003b8b8 thread T0
    #0 0x40b279 in draw_chunk ../../../hacks/glx/crumbler.c:680
    #1 0x4129ac in draw_crumbler ../../../hacks/glx/crumbler.c:795
    #2 0x439a21 in xlockmore_draw ../../hacks/xlockmore.c:628
    #3 0x408dbe in run_screenhack_table ../../hacks/screenhack.c:586
    #4 0x408dbe in main ../../hacks/screenhack.c:967
    #5 0x7fa8ac7901ba in __libc_start_main ../csu/libc-start.c:308
    #6 0x40a4a9 in _start (/home/tasaka1/rpmbuild/fedora-specific/xscreensaver/master/xscreensaver-5.39/x86_64-pc-linux-gnu/hacks/glx/crumbler+0x40a4a9)

0x62900003b8b8 is located 1720 bytes to the right of 16384-byte region [0x629000037200,0x62900003b200)
allocated by thread T0 here:
    #0 0x7fa8b054de50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x40fe98 in init_crumbler ../../../hacks/glx/crumbler.c:633
    #2 0x3f7fffffffffffff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../hacks/glx/crumbler.c:680 in draw_chunk

Apparently at the line 680, c->color is oversized. I guess at the lines 367-368, parentheses are
incorrectly added: c2->color should have the value no more than bp->ncolors - 1.
---
 hacks/glx/crumbler.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hacks/glx/crumbler.c b/hacks/glx/crumbler.c
index cf21a94..f9a908a 100644
--- a/hacks/glx/crumbler.c
+++ b/hacks/glx/crumbler.c
@@ -364,8 +364,8 @@ split_chunk (ModeInfo *mi, chunk *c, int nchunks)
       chunks[i] = c2;
       chunks[i]->nverts = 0;
       c2->verts = (qh_vertex_t *) calloc (c->nverts, sizeof(*c2->verts));
-      c2->color = (c->color + (random() % (1 + (bp->ncolors / 3)))
-                   % bp->ncolors);
+      c2->color = (c->color + (random() % (1 + (bp->ncolors / 3))))
+                   % bp->ncolors;
     }
 
   /* Add the verts to the approprate chunks
-- 
2.17.0
update xscreensaver package Signed-off-by: guibuilder_pel7x64builder0 <guibuilder@powerel.org> 7 years ago			`From 58f4a6f93b10d3ba65d9d62f128a30ffba2de72e Mon Sep 17 00:00:00 2001`
			`From: Mamoru TASAKA <mtasaka@fedoraproject.org>`
			`Date: Sun, 15 Apr 2018 15:12:11 +0900`
			`Subject: [PATCH] crumbler: fix color overvalue when accessing colors array`

			`gcc8 -fsanitize=address detects the following error:`

			`==30292==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900003b8b8 at pc 0x00000040b27a bp 0x7fff47820090 sp 0x7fff47820080`
			`READ of size 2 at 0x62900003b8b8 thread T0`
			`#0 0x40b279 in draw_chunk ../../../hacks/glx/crumbler.c:680`
			`#1 0x4129ac in draw_crumbler ../../../hacks/glx/crumbler.c:795`
			`#2 0x439a21 in xlockmore_draw ../../hacks/xlockmore.c:628`
			`#3 0x408dbe in run_screenhack_table ../../hacks/screenhack.c:586`
			`#4 0x408dbe in main ../../hacks/screenhack.c:967`
			`#5 0x7fa8ac7901ba in __libc_start_main ../csu/libc-start.c:308`
			`#6 0x40a4a9 in _start (/home/tasaka1/rpmbuild/fedora-specific/xscreensaver/master/xscreensaver-5.39/x86_64-pc-linux-gnu/hacks/glx/crumbler+0x40a4a9)`

			`0x62900003b8b8 is located 1720 bytes to the right of 16384-byte region [0x629000037200,0x62900003b200)`
			`allocated by thread T0 here:`
			`#0 0x7fa8b054de50 in calloc (/lib64/libasan.so.5+0xeee50)`
			`#1 0x40fe98 in init_crumbler ../../../hacks/glx/crumbler.c:633`
			`#2 0x3f7fffffffffffff (<unknown module>)`

			`SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../hacks/glx/crumbler.c:680 in draw_chunk`

			`Apparently at the line 680, c->color is oversized. I guess at the lines 367-368, parentheses are`
			`incorrectly added: c2->color should have the value no more than bp->ncolors - 1.`
			`---`
			`hacks/glx/crumbler.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/hacks/glx/crumbler.c b/hacks/glx/crumbler.c`
			`index cf21a94..f9a908a 100644`
			`--- a/hacks/glx/crumbler.c`
			`+++ b/hacks/glx/crumbler.c`
			`@@ -364,8 +364,8 @@ split_chunk (ModeInfo mi, chunk c, int nchunks)`
			`chunks[i] = c2;`
			`chunks[i]->nverts = 0;`
			`c2->verts = (qh_vertex_t ) calloc (c->nverts, sizeof(c2->verts));`
			`- c2->color = (c->color + (random() % (1 + (bp->ncolors / 3)))`
			`- % bp->ncolors);`
			`+ c2->color = (c->color + (random() % (1 + (bp->ncolors / 3))))`
			`+ % bp->ncolors;`
			`}`

			`/* Add the verts to the approprate chunks`
			`--`
			`2.17.0`