Bug 345713 – ximagesrc uses XFixesCursorImage incorrectly and will segfault

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 345713 - ximagesrc uses XFixesCursorImage incorrectly and will segfault


Summary:	ximagesrc uses XFixesCursorImage incorrectly and will segfault


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-good
Version:	git master
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	0.10.4
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2006-06-23 03:23 UTC by Todd Goyen
Modified:	2006-07-24 19:36 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Todd Goyen 2006-06-23 03:23:23 UTC

The lines below are wrong:

cx = ximagesrc->cursor_image->x - ximagesrc->cursor_image->xhot;
cy = ximagesrc->cursor_image->y - ximagesrc->cursor_image->yhot;

xhot and yhot give the active hotspot of the cursor and in no way relate to where the cursor image should be placed on the ximage. An easy crash for this situation can be given by capturing with the default mouse in the upper left corner. Its x, y is 0,0 and hot x,y is (1,1) which makes cx,cy (-1, -1) and will imediately segfault any application.

Comment 1 Zaheer Abbas Merali 2006-06-23 09:12:55 UTC

Thanks for the bug report, how do you think this should be done then, just by using the x and y?

Comment 2 Todd Goyen 2006-06-23 17:42:23 UTC

Also 10 years from now, let it be known that I used very similar code in a closed source program and don't want it coming back to haunt me..... This code here though is all yours, License/rewrite it as you wish, because without the megring code it really doesn't do anything.....


    /*  xi  = XImage x index
     *  yi  = XImage y index
     *  xci = XFixesCursorImage x index
     *  yci = XFixesCursorImage y index
     *  xd  = difference in x offsets from (0,0)
     *  yd  = difference in y offsets from (0,0)
     *  img_location = offset for capture background image to (0,0)
     *  img = XImage
     *  ximg = XFixesCursorImage
    */
    xd = cimg->x - img_location->x;
    yd = cimg->y - img_location->y;


    /* The function below is kind of complicated, just remember that we have two rectangles
     * which each have different offsets from 0 and we only merge them where they overlap
     * Oh yeah and one uses longs while the other uses chars
     */
    for (yi = yd, yci = 0; yci < cimg->height && yi < img->height; yi++, yci++) {
        if (yi < 0) { continue; } /* Only use valid indexes */

        for (xi = xd, xci = 0; xci < cimg->width && xi < img->width; xi++, xci++) {
            if (xi < 0 ) { continue; } /* Only use valid indexes */

            off = (yi * img->width + xi) * 4;
        
            /* Merge each pixel in here */
            /* Also note that the cimg has already been multiplied by the alpha channel by XFixes*/
        }
    }

Comment 3 Tim-Philipp Müller 2006-07-24 16:02:45 UTC

Zaheer, hasn't this been resolved through this commit:

  2006-06-29  Zaheer Abbas Merali  <zaheerabbas at merali dot org>

        * sys/ximage/gstximagesrc.c: (gst_ximage_src_ximage_get):
        Fix hypothetical crash.

Diff:
http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/sys/ximage/gstximagesrc.c?r1=1.14&r2=1.15

?

Comment 4 Zaheer Abbas Merali 2006-07-24 19:36:59 UTC

correct, i have fixed it.