<div class="gmail_quote">On Mon, Dec 28, 2009 at 2:02 PM, Cyrille Berger <span dir="ltr"><<a href="mailto:cberger@cberger.net">cberger@cberger.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,<br>
<br>
I am not sure if I get the problem, but if the dataRect is invalid or empty,<br>
then no convolution should happen, and the correct way is to return. Or am I<br>
missing something ?<br></blockquote><div><br>Without workaround: if dataRect is empty or invalid applyMatrix simply crashes inside iterators.<br>The problem is applyMatrix does NOT guarantee successful execution and does not report any fails, so it prepares bad dataRects for itself during consecutive execution. In addition it has quite strange checks inside those lead to fail when everything is ok, i mean <br>
<pre class="bz_comment_text" id="comment_text_0">if (areaSize.width() < kw || areaSize.height() < kh || ...) return;<br></pre><br>To ensure we don't forget about this i added a ticket: <a href="https://bugs.kde.org/show_bug.cgi?id=220310">https://bugs.kde.org/show_bug.cgi?id=220310</a><br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5"><br>
<br>
On Sunday 27 December 2009, Dmitry Kazakov wrote:<br>
> SVN commit 1066740 by dkazakov:<br>
><br>
> Workaround for consequent convolutions crash<br>
><br>
><br>
> FIXME: Implementation can return empty destination device<br>
> on faults and has no way to report this. This will cause a crash<br>
> on sequential convolutions inside iteratiors.<br>
><br>
> o implementation should do it's work or assert otherwise<br>
> (or report the issue somehow)<br>
> o check other cases of the switch for the vulnerability<br>
><br>
> CCBUG:220310<br>
> <a href="mailto:CCMAIL%3Acberger@cberger.net">CCMAIL:cberger@cberger.net</a><br>
><br>
><br>
> M +13 -1 kis_convolution_painter.cc<br>
><br>
><br>
> --- trunk/koffice/krita/image/kis_convolution_painter.cc #1066739:1066740<br>
> @@ -82,7 +82,19 @@<br>
> switch (borderOp) {<br>
> case BORDER_REPEAT: {<br>
> QRect dataRect = src->exactBounds();<br>
> - applyMatrixImpl<RepeatIteratorFactory>(kernel, src, srcPos,<br>
> dstPos, areaSize, dataRect); +<br>
> + /**<br>
> + * FIXME: Implementation can return empty destination device<br>
> + * on faults and has no way to report this. This will cause a<br>
> crash + * on sequential convolutions inside iteratiors.<br>
> + *<br>
> + * o implementation should do it's work or assert otherwise<br>
> + * (or report the issue somehow)<br>
> + * o check other cases of the switch for the vulnerability<br>
> + */<br>
> +<br>
> + if(dataRect.isValid())<br>
> + applyMatrixImpl<RepeatIteratorFactory>(kernel, src, srcPos,<br>
> dstPos, areaSize, dataRect); }<br>
> return;<br>
> case BORDER_DEFAULT_FILL : {<br>
><br>
<br>
<br>
</div></div>--<br>
<font color="#888888">Cyrille Berger<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Dmitry Kazakov<br>