fix:core:Fix buffer overflow for ticket #1167 (#1170)

* Refactor:Transform: Create transform func for a single point

we have a common pattern where we call transform() for a single point. We have
to specify the last 4 parameters as constants in a function with too
many parameters. So refactor this function to a simpler signature. While
at this, we also rename the function for easy distinction.

* Fix:Transform: Fix buffer overflow in transform_point_buf in ticket #1167

When displayitem_transform_holes() is called, we allocate a struct point buffer
of size count. Then we call transform_point_buf() to fill that buffer called
result. In this function we fill the buffer in a for loop that runs count times.
The buffer is indexed using result_idx which is incremented every loop
iteration. However, if we are in 3d mode (indicated by t->ddd), we call
transform_z_clip_if_necessary(). This can lead to the repetition of the current
loop iteration by decreasing the loop variable i by 1. Even though we decreased
i we still increment result_idx by 1. So from the point of view of result_idx we
are running the loop count+1 times. Thus, we write one element past the
allocated buffer.

To fix this we give the size of the allocated buffer to
transform_point_buf(). Then we check in the loop if the repetition of this
loop iteration would fit into the buffer. If not, we double the size of
the buffer and try again until we succeed.

Co-authored-by: Stefan Wildemann <metalstrolch@users.noreply.github.com>

1 files changed, 5 insertions, 5 deletions

diff --git a/navit/navit.c b/navit/navit.c
index 14087c4ed..fc1c973a0 100644
--- a/navit/navit.c
+++ b/navit/navit.c
@@ -779,7 +779,7 @@ static void navit_autozoom(struct navit *this_, struct coord *center, int speed,
     distance = speed * this_->autozoom_secs;
 
     transform_get_size(this_->trans, &w, &h);
-    transform(this_->trans, transform_get_projection(this_->trans), center, &pc, 1, 0, 0, NULL);
+    transform_point(this_->trans, transform_get_projection(this_->trans), center, &pc);
     scale = transform_get_scale(this_->trans);
 
     /* We make sure that the point we want to see is within a certain range
@@ -2277,8 +2277,8 @@ void navit_zoom_to_rect(struct navit *this_, struct coord_rect *r) {
         struct point p1,p2;
         transform_set_scale(this_->trans, scale);
         transform_setup_source_rect(this_->trans);
-        transform(this_->trans, transform_get_projection(this_->trans), &r->lu, &p1, 1, 0, 0, NULL);
-        transform(this_->trans, transform_get_projection(this_->trans), &r->rl, &p2, 1, 0, 0, NULL);
+        transform_point(this_->trans, transform_get_projection(this_->trans), &r->lu, &p1);
+        transform_point(this_->trans, transform_get_projection(this_->trans), &r->rl, &p2);
         dbg(lvl_debug,"%d,%d-%d,%d",p1.x,p1.y,p2.x,p2.y);
         if (p1.x < 0 || p2.x < 0 || p1.x > w || p2.x > w ||
                 p1.y < 0 || p2.y < 0 || p1.y > h || p2.y > h)
@@ -3224,7 +3224,7 @@ static void navit_vehicle_draw(struct navit *this_, struct navit_vehicle *nv, st
         pro=transform_get_projection(this_->trans_cursor);
         if (!pro)
             return;
-        transform(this_->trans_cursor, pro, &nv->coord, &cursor_pnt, 1, 0, 0, NULL);
+        transform_point(this_->trans_cursor, pro, &nv->coord, &cursor_pnt);
     }
     vehicle_draw(nv->vehicle, this_->gra, &cursor_pnt, nv->dir-transform_get_yaw(this_->trans_cursor), nv->speed);
 }
@@ -3309,7 +3309,7 @@ static void navit_vehicle_update_position(struct navit *this_, struct navit_vehi
         if (this_->gui && nv->speed > 2)
             navit_disable_suspend();
 
-        transform(this_->trans_cursor, pro, &nv->coord, &cursor_pnt, 1, 0, 0, NULL);
+        transform_point(this_->trans_cursor, pro, &nv->coord, &cursor_pnt);
         if (this_->button_pressed != 1 && this_->follow_cursor && nv->follow_curr <= nv->follow &&
                 (nv->follow_curr == 1 || !transform_within_border(this_->trans_cursor, &cursor_pnt, this_->border)))
             navit_set_center_cursor_draw(this_);