ZoneMinder Forums

ZoneMinder Forums
https://forums.zoneminder.com/

Small bugfix for zm_image.h

https://forums.zoneminder.com/viewtopic.php?t=7674

Page 1 of 1

Small bugfix for zm_image.h

Posted: Fri Dec 29, 2006 10:34 am
by kamand
Hello, Phil.
In function inline void Assign( const Image &image )
it is possible to go out of source buffer memory and get segmentation fault.

diff -u zm_image.h_orig zm_image.h

Code: Select all

--- zm_image.h_orig     2006-05-08 15:46:53.000000000 +0300
+++ zm_image.h  2006-12-29 11:21:15.000000000 +0200
@@ -220,7 +220,7 @@
                                memset( buffer, 0, size );
                        }
                }
-               memcpy( buffer, image.buffer, size );
+               memcpy( buffer, image.buffer, image.size );
        }

        inline void CopyBuffer( const Image &image )
And something like this patch need to be done for previous method:
inline void Assign( int p_width, int p_height, int p_colours, unsigned char *new_buffer )
This patch is for 1.22.2, but in 1.22.3 this code is not changed.

Happy New Year.
Regards.
Andrew.

Re: Small bugfix for zm_image.h

Posted: Sat Dec 30, 2006 1:09 am
by cdtdaddy
kamand wrote:Hello, Phil.
In function inline void Assign( const Image &image )
it is possible to go out of source buffer memory and get segmentation fault.

diff -u zm_image.h_orig zm_image.h

Code: Select all

--- zm_image.h_orig     2006-05-08 15:46:53.000000000 +0300
+++ zm_image.h  2006-12-29 11:21:15.000000000 +0200
@@ -220,7 +220,7 @@
                                memset( buffer, 0, size );
                        }
                }
-               memcpy( buffer, image.buffer, size );
+               memcpy( buffer, image.buffer, image.size );
        }

        inline void CopyBuffer( const Image &image )
And something like this patch need to be done for previous method:
inline void Assign( int p_width, int p_height, int p_colours, unsigned char *new_buffer )
This patch is for 1.22.2, but in 1.22.3 this code is not changed.

Happy New Year.
Regards.
Andrew.
Hi,
thank you for find this bug! I think i was hitting this bug very frequently!
For now, no more zmc crashes! :)

However, I think that the patch should be the following:

Code: Select all

--- zm_image.h.orig     2006-12-30 02:00:11.000000000 +0100
+++ zm_image.h  2006-12-30 01:59:43.000000000 +0100
@@ -194,7 +194,7 @@
                        pixels = width*height;
                        colours = p_colours;
                        int new_size = width*height*colours;
-                       if ( size < new_size )
+                       if ( size != new_size )
                        {
                                size = new_size;
                                delete[] buffer;
@@ -213,7 +213,7 @@
                        pixels = width*height;
                        colours = image.colours;
                        int new_size = width*height*colours;
-                       if ( size < new_size )
+                       if ( size != new_size )
                        {
                                size = new_size;
                                delete[] buffer;
So if you're assigning a smaller image to the current instance, the "size" and the "buffer" attributes will be updated and you'll read only "size" bytes in the following memcpy().

Thank you again and happy new year to you too.

Posted: Sun Jan 14, 2007 5:19 pm
by zoneminder
Thanks to you both for posting this. I have added it to my BugZilla and will address it for the next release.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited