diff options
| author | Bastian Koppelmann <bkoppelmann@users.noreply.github.com> | 2021-12-23 20:32:55 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-23 20:32:55 +0100 |
| commit | 13e550f93052ef6d51fcbde76cd6796a3cc6bb4e (patch) | |
| tree | c2832bfc9981e8dfc9689278e77b2a90097e847d /navit/transform.h | |
| parent | a671d30766c6c826a0ba80220ddcc05d76dc4108 (diff) | |
| download | navit-13e550f93052ef6d51fcbde76cd6796a3cc6bb4e.tar.gz | |
fix:core:Fix buffer overflow for ticket #1167 (#1170)
* Refactor:Transform: Create transform func for a single point
we have a common pattern where we call transform() for a single point. We have
to specify the last 4 parameters as constants in a function with too
many parameters. So refactor this function to a simpler signature. While
at this, we also rename the function for easy distinction.
* Fix:Transform: Fix buffer overflow in transform_point_buf in ticket #1167
When displayitem_transform_holes() is called, we allocate a struct point buffer
of size count. Then we call transform_point_buf() to fill that buffer called
result. In this function we fill the buffer in a for loop that runs count times.
The buffer is indexed using result_idx which is incremented every loop
iteration. However, if we are in 3d mode (indicated by t->ddd), we call
transform_z_clip_if_necessary(). This can lead to the repetition of the current
loop iteration by decreasing the loop variable i by 1. Even though we decreased
i we still increment result_idx by 1. So from the point of view of result_idx we
are running the loop count+1 times. Thus, we write one element past the
allocated buffer.
To fix this we give the size of the allocated buffer to
transform_point_buf(). Then we check in the loop if the repetition of this
loop iteration would fit into the buffer. If not, we double the size of
the buffer and try again until we succeed.
Co-authored-by: Stefan Wildemann <metalstrolch@users.noreply.github.com>
Diffstat (limited to 'navit/transform.h')
| -rw-r--r-- | navit/transform.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/navit/transform.h b/navit/transform.h index dab69fd47..e492882a0 100644 --- a/navit/transform.h +++ b/navit/transform.h @@ -25,6 +25,8 @@ extern "C" { #endif #include "coord.h" +#define TRANSFORM_ERR_BUF_SPACE -1 + /* prototypes */ enum attr_type; enum item_type; @@ -55,7 +57,8 @@ void transform_geo_to_cart(struct coord_geo *geo, navit_float a, navit_float b, void transform_cart_to_geo(struct coord_geo_cart *cart, navit_float a, navit_float b, struct coord_geo *geo); void transform_utm_to_geo(const double UTMEasting, const double UTMNorthing, int ZoneNumber, int NorthernHemisphere, struct coord_geo *geo); void transform_datum(struct coord_geo *from, enum map_datum from_datum, struct coord_geo *to, enum map_datum to_datum); -int transform(struct transformation *t, enum projection pro, struct coord *c, struct point *p, int count, int mindist, int width, int *width_return); +int transform_point(struct transformation *t, enum projection pro, struct coord *c, struct point *p); +int transform_point_buf(struct transformation *t, enum projection pro, struct coord *c, struct point *p, long result_size, int count, int mindist, int width, int *width_return); int transform_reverse(struct transformation *t, struct point *p, struct coord *c); double transform_pixels_to_map_distance(struct transformation *transformation, int pixels); enum projection transform_get_projection(struct transformation *this_); |