Small bugfix for zm_image.h

If you've made a patch to quick fix a bug or to add a new feature not yet in the main tree then post it here so others can try it out.
Post Reply
kamand
Posts: 24
Joined: Fri Nov 28, 2003 10:04 am

Small bugfix for zm_image.h

Post by kamand »

Hello, Phil.
In function inline void Assign( const Image &image )
it is possible to go out of source buffer memory and get segmentation fault.

diff -u zm_image.h_orig zm_image.h

Code: Select all

--- zm_image.h_orig     2006-05-08 15:46:53.000000000 +0300
+++ zm_image.h  2006-12-29 11:21:15.000000000 +0200
@@ -220,7 +220,7 @@
                                memset( buffer, 0, size );
                        }
                }
-               memcpy( buffer, image.buffer, size );
+               memcpy( buffer, image.buffer, image.size );
        }

        inline void CopyBuffer( const Image &image )
And something like this patch need to be done for previous method:
inline void Assign( int p_width, int p_height, int p_colours, unsigned char *new_buffer )
This patch is for 1.22.2, but in 1.22.3 this code is not changed.

Happy New Year.
Regards.
Andrew.
Top
User avatar
cdtdaddy
Posts: 3
Joined: Thu Dec 07, 2006 10:57 pm
Location: Rome, Italy

Re: Small bugfix for zm_image.h

Post by cdtdaddy »

kamand wrote:Hello, Phil.
In function inline void Assign( const Image &image )
it is possible to go out of source buffer memory and get segmentation fault.

diff -u zm_image.h_orig zm_image.h

Code: Select all

--- zm_image.h_orig     2006-05-08 15:46:53.000000000 +0300
+++ zm_image.h  2006-12-29 11:21:15.000000000 +0200
@@ -220,7 +220,7 @@
                                memset( buffer, 0, size );
                        }
                }
-               memcpy( buffer, image.buffer, size );
+               memcpy( buffer, image.buffer, image.size );
        }

        inline void CopyBuffer( const Image &image )
And something like this patch need to be done for previous method:
inline void Assign( int p_width, int p_height, int p_colours, unsigned char *new_buffer )
This patch is for 1.22.2, but in 1.22.3 this code is not changed.

Happy New Year.
Regards.
Andrew.
Hi,
thank you for find this bug! I think i was hitting this bug very frequently!
For now, no more zmc crashes! :)

However, I think that the patch should be the following:

Code: Select all

--- zm_image.h.orig     2006-12-30 02:00:11.000000000 +0100
+++ zm_image.h  2006-12-30 01:59:43.000000000 +0100
@@ -194,7 +194,7 @@
                        pixels = width*height;
                        colours = p_colours;
                        int new_size = width*height*colours;
-                       if ( size < new_size )
+                       if ( size != new_size )
                        {
                                size = new_size;
                                delete[] buffer;
@@ -213,7 +213,7 @@
                        pixels = width*height;
                        colours = image.colours;
                        int new_size = width*height*colours;
-                       if ( size < new_size )
+                       if ( size != new_size )
                        {
                                size = new_size;
                                delete[] buffer;
So if you're assigning a smaller image to the current instance, the "size" and the "buffer" attributes will be updated and you'll read only "size" bytes in the following memcpy().

Thank you again and happy new year to you too.
Top
User avatar
zoneminder
Site Admin
Posts: 5215
Joined: Wed Jul 09, 2003 2:07 pm
Location: Bristol, UK
Contact:
Contact zoneminder

Post by zoneminder »

Thanks to you both for posting this. I have added it to my BugZilla and will address it for the next release.
Phil
Top
Post Reply

Return to “User Contributions”