diff --git a/xscreensaver-5.30-1001-analogtv.c-fastrnd-wrap-signed-integer-correctly.patch b/xscreensaver-5.30-1001-analogtv.c-fastrnd-wrap-signed-integer-correctly.patch new file mode 100644 index 0000000..d8797d4 --- /dev/null +++ b/xscreensaver-5.30-1001-analogtv.c-fastrnd-wrap-signed-integer-correctly.patch @@ -0,0 +1,61 @@ +From b3df98430688d5a55e3555aafa2ae8d8a57976d6 Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Mon, 15 Sep 2014 02:04:31 +0900 +Subject: [PATCH 1001/1005] analogtv.c/fastrnd: wrap signed integer correctly + +gcc49 sanitizer shows the errors like below: +../../hacks/analogtv.c:1201:22: runtime error: signed integer overflow: -1118478881 + -2147483647 cannot be represented in type 'int [262]' +../../hacks/analogtv.c:1205:24: runtime error: signed integer overflow: -1157379731 + -2147483647 cannot be represented in type 'int [262]' +../../hacks/analogtv.c:1246:32: runtime error: signed integer overflow: -1015960810 + -2147483647 cannot be represented in type 'int [262]' + +These all come from the calculation "((int)fastrnd-(int)0x7fffffff)". Wrap this +signed integer calculation correctly. +--- + hacks/analogtv.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/hacks/analogtv.c b/hacks/analogtv.c +index 7c2993e..009d7bc 100644 +--- a/hacks/analogtv.c ++++ b/hacks/analogtv.c +@@ -65,6 +65,7 @@ + # include + # include + #endif ++#include + + #include + #include +@@ -1195,14 +1196,17 @@ static void analogtv_init_signal(const analogtv *it, double noiselevel, unsigned + float *pe=it->rx_signal + end; + float *p=ps; + unsigned int fastrnd=rnd_seek(FASTRND_A, FASTRND_C, it->random0, start); ++ unsigned int fastrnd_offset; + float nm1,nm2; + float noisemul = sqrt(noiselevel*150)/(float)0x7fffffff; + +- nm1 = ((int)fastrnd-(int)0x7fffffff) * noisemul; ++ fastrnd_offset = fastrnd - 0x7fffffff; ++ nm1 = (fastrnd_offset <= INT_MAX ? (int)fastrnd_offset : -1 - (int)(UINT_MAX - fastrnd_offset)) * noisemul; + while (p != pe) { + nm2=nm1; + fastrnd = (fastrnd*FASTRND_A+FASTRND_C) & 0xffffffffu; +- nm1 = ((int)fastrnd-(int)0x7fffffff) * noisemul; ++ fastrnd_offset = fastrnd - 0x7fffffff; ++ nm1 = (fastrnd_offset <= INT_MAX ? (int)fastrnd_offset : -1 - (int)(UINT_MAX - fastrnd_offset)) * noisemul; + *p++ = nm1*nm2; + } + } +@@ -1243,7 +1247,8 @@ static void analogtv_add_signal(const analogtv *it, const analogtv_reception *re + */ + + float sig0=(float)s[0]; +- float noise = ((int)fastrnd-(int)0x7fffffff) * (50.0f/(float)0x7fffffff); ++ unsigned int fastrnd_offset = fastrnd - 0x7fffffff; ++ float noise = (fastrnd_offset <= INT_MAX ? (int)fastrnd_offset : -1 - (int)(UINT_MAX - fastrnd_offset)) * (50.0f/(float)0x7fffffff); + fastrnd = (fastrnd*FASTRND_A+FASTRND_C) & 0xffffffffu; + + p[0] += sig0 * level * (1.0f - noise_ampl) + noise * noise_ampl; +-- +2.1.0 + diff --git a/xscreensaver-5.30-1002-analogtv_setup_frame-clip-too-large-double-value-for.patch b/xscreensaver-5.30-1002-analogtv_setup_frame-clip-too-large-double-value-for.patch new file mode 100644 index 0000000..ec38397 --- /dev/null +++ b/xscreensaver-5.30-1002-analogtv_setup_frame-clip-too-large-double-value-for.patch @@ -0,0 +1,62 @@ +From 2934cc1537e1b3da17340ca87b868ea1a7063eaf Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Mon, 15 Sep 2014 02:21:59 +0900 +Subject: [PATCH 1002/1005] analogtv_setup_frame: clip too large double value + for hni + +gcc49 detected the following error: + +../../hacks/analogtv.c:957:11: runtime error: signed integer overflow: 2147463385 + 29231 cannot be represented in type 'int [262]' +../../hacks/analogtv.c:957:41: runtime error: signed integer overflow: -2147452808 + -32768 cannot be represented in type 'int [262]' + +Well, the part "[262]" in this message seems strange, however anyway +in analogtv_setup_frame(), when it->hashnoise_rpm is positive and too small, +the internal of the parenthesis for calculating hni +(i.e. ANALOGTV_V * ANALOGTV_H * 256.0 / (it->hashnoise_rpm * 16.0 / 60.0 / 60.0)) +can get very large number, and casting such large double value to int +produces undefined behavior (undefined behavior once). On my machine +it seems that this gets near INT_MIN. Then hni + (int)(random()%65536)-32768 +can again produces undefined behavior (by signed integer overflow). + +So let's clip too large double value for hni and avoid overflow. +--- + hacks/analogtv.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/hacks/analogtv.c b/hacks/analogtv.c +index 009d7bc..20acc0d 100644 +--- a/hacks/analogtv.c ++++ b/hacks/analogtv.c +@@ -942,11 +942,13 @@ analogtv_setup_frame(analogtv *it) + } + if (it->hashnoise_rpm > 0.0) { + int hni; ++ double hni_double; + int hnc=it->hashnoise_counter; /* in 24.8 format */ + + /* Convert rpm of a 16-pole motor into dots in 24.8 format */ +- hni = (int)(ANALOGTV_V * ANALOGTV_H * 256.0 / +- (it->hashnoise_rpm * 16.0 / 60.0 / 60.0)); ++ hni_double = ANALOGTV_V * ANALOGTV_H * 256.0 / ++ (it->hashnoise_rpm * 16.0 / 60.0 / 60.0); ++ hni = (hni_double <= INT_MAX) ? (int)hni_double : INT_MAX; + + while (hnc < (ANALOGTV_V * ANALOGTV_H)<<8) { + y=(hnc>>8)/ANALOGTV_H; +@@ -955,7 +957,12 @@ analogtv_setup_frame(analogtv *it) + if (x>0 && xhashnoise_times[y]=x; + } +- hnc += hni + (int)(random()%65536)-32768; ++ /* hnc += hni + (int)(random()%65536)-32768; */ ++ { ++ hnc += (int)(random()%65536)-32768; ++ if ((hnc >= 0) && (INT_MAX - hnc < hni)) break; ++ hnc += hni; ++ } + } + /* hnc -= (ANALOGTV_V * ANALOGTV_H)<<8;*/ + } +-- +2.1.0 + diff --git a/xscreensaver-5.30-1003-flame-recurse-use-fabs-for-double-value.patch b/xscreensaver-5.30-1003-flame-recurse-use-fabs-for-double-value.patch new file mode 100644 index 0000000..0f4ccef --- /dev/null +++ b/xscreensaver-5.30-1003-flame-recurse-use-fabs-for-double-value.patch @@ -0,0 +1,36 @@ +From a98c2be00eda408c3d360901d11d5bd380370245 Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Sun, 7 Sep 2014 02:09:19 +0900 +Subject: [PATCH 1003/1005] flame/recurse: use fabs for double value + +gcc49 sanitizer shows the following error: + +../../hacks/flame.c:207:29: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself +../../hacks/flame.c:207:9: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself + +When double value gets too large, casting the value to int produces undefined +behavior. My system seems to produce INT_MIN value, and the absolute value of +INT_MIN cannot be represented as int value. Note that the prototype of abs is +"int abs(int)" and here x and y are defined as "double", so first casting x or +y to int is executed. +Just use fabs to fix this error. +--- + hacks/flame.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hacks/flame.c b/hacks/flame.c +index a641367..9f13c87 100644 +--- a/hacks/flame.c ++++ b/hacks/flame.c +@@ -204,7 +204,7 @@ recurse (struct state *st, double x, double y, int l, Display *dpy, Window win) + "I think this happens on HPUX. I think it's non-IEEE + to generate an exception instead of a silent NaN." + */ +- if ((abs(x) > 1.0E5) || (abs(y) > 1.0E5)) ++ if ((fabs(x) > 1.0E5) || (fabs(y) > 1.0E5)) + x = x / y; + + nx = st->f[0][0][i] * x + st->f[0][1][i] * y + st->f[0][2][i]; +-- +2.1.0 + diff --git a/xscreensaver-5.30-1004-rd-bomb-pixack_frame-avoid-integer-overflow.patch b/xscreensaver-5.30-1004-rd-bomb-pixack_frame-avoid-integer-overflow.patch new file mode 100644 index 0000000..cc6af66 --- /dev/null +++ b/xscreensaver-5.30-1004-rd-bomb-pixack_frame-avoid-integer-overflow.patch @@ -0,0 +1,37 @@ +From 9dfe014aa1cc253d22c7795d77a83144980f3d96 Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Sun, 7 Sep 2014 15:45:48 +0900 +Subject: [PATCH 1004/1005] rd-bomb/pixack_frame: avoid integer overflow + +gcc49 sanitizer detects the following error (every time rd-bomb is launched): + +../../hacks/rd-bomb.c:239:19: runtime error: signed integer overflow: 65500 * 49113 cannot be represented in type 'int + +Looking at pixack_frame(), at the line 239, as far as I am not wrong +r1 is between 0 and 65500, and r2 is between 0 and 65535. +So r1 * r2 might be (1LL<<32) or smaller, so r1 * r2 can get sign integer +overflow (by one bit). Aviod this overflow by right-shift of r1 by one bit, +then reduce the amount of right shift at the last (bps) by 1. +Note that bps is 16, as defined at the line 78. +--- + hacks/rd-bomb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hacks/rd-bomb.c b/hacks/rd-bomb.c +index 878f5b9..08ec7a7 100644 +--- a/hacks/rd-bomb.c ++++ b/hacks/rd-bomb.c +@@ -236,7 +236,9 @@ pixack_frame(struct state *st, char *pix_buf) + /* John E. Pearson "Complex Patterns in a Simple System" + Science, July 1993 */ + +- uvv = (((r1 * r2) >> bps) * r2) >> bps; ++ /* uvv = (((r1 * r2) >> bps) * r2) >> bps; */ ++ /* avoid signed integer overflow */ ++ uvv = ((((r1 >> 1)* r2) >> bps) * r2) >> (bps - 1); + switch (st->reaction) { /* costs 4% */ + case 0: + r1 += 4 * (((28 * (mx-r1)) >> 10) - uvv); +-- +2.1.0 + diff --git a/xscreensaver-5.30-1005-abstractile-_pattern-make-gridx-y-signed.patch b/xscreensaver-5.30-1005-abstractile-_pattern-make-gridx-y-signed.patch new file mode 100644 index 0000000..b1dd4d8 --- /dev/null +++ b/xscreensaver-5.30-1005-abstractile-_pattern-make-gridx-y-signed.patch @@ -0,0 +1,47 @@ +From 6d7af41b8044d00cb33bfc593a46bcf31a7820b9 Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Mon, 15 Sep 2014 02:37:31 +0900 +Subject: [PATCH 1005/1005] abstractile/_pattern: make gridx,y signed + +gcc49 sanitizer detects undefined behavior like below: + +../../hacks/abstractile.c:922:41: runtime error: signed integer overflow: 2147483610 + 58 cannot be represented in type 'int [4]' +../../hacks/abstractile.c:922:41: runtime error: signed integer overflow: 585 + 2147483512 cannot be represented in type 'int [4]' + +These ones were very difficult. Detail gdb analysis showed that in +_pattern(), at the line 900 the value "v" got very large value, +because where v is defined as "(signed) int", st->gridx (or st->gridy) is +defined as "unsigned int", so when the calculation of v gets negative, +instead it gets very large number. + +Make st->gridx, st->gridy "signed" integer, and add sanity check +for these values. +--- + hacks/abstractile.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hacks/abstractile.c b/hacks/abstractile.c +index 4e80d7b..f1abbb6 100644 +--- a/hacks/abstractile.c ++++ b/hacks/abstractile.c +@@ -90,7 +90,8 @@ struct state { + /* draw, erase, fill, init, line, object, z indexes */ + unsigned int di, ei, fi, ii, bi, li, eli, oi, zi; + /* size variables */ +- unsigned int gridx, gridy, gridn; /* grid size */ ++ int gridx, gridy; /* grid size */ ++ unsigned int gridn; + int lwid, bwid, swid;/* line width, background width, shadow width */ + int narray, max_wxh; + int elwid, elpu, egridx, egridy; /* for now */ +@@ -205,6 +206,7 @@ _init_zlist(struct state *st) + + st->gridx=st->xgwa.width/st->lwid; + st->gridy=st->xgwa.height/st->lwid; ++ if ((st->gridx <= 0) || (st->gridy <= 0)) abort(); + st->gridn=st->gridx*st->gridy; + /* clear grid */ + for (z=0; zgridn; z++) { +-- +2.1.0 + diff --git a/xscreensaver-5.30-1007-whirlwindwarp_draw-avoid-signed-integer-overflow-for.patch b/xscreensaver-5.30-1007-whirlwindwarp_draw-avoid-signed-integer-overflow-for.patch new file mode 100644 index 0000000..7760ce4 --- /dev/null +++ b/xscreensaver-5.30-1007-whirlwindwarp_draw-avoid-signed-integer-overflow-for.patch @@ -0,0 +1,39 @@ +From e843f7f66565bdf610320e4dd97d8485e46361f6 Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Mon, 8 Sep 2014 11:40:29 +0900 +Subject: [PATCH 1007/1009] whirlwindwarp_draw: avoid signed integer overflow + for gettimeofday diff + +gcc49 sanitizer detects the following error: +../../hacks/whirlwindwarp.c:450:30: runtime error: signed integer overflow: 1410142830 * 1000000 cannot be represented in type 'long int' +../../hacks/whirlwindwarp.c:450:75: runtime error: signed integer overflow: 1410142830 * -1000000 cannot be represented in type 'long int' +../../hacks/whirlwindwarp.c:450:39: runtime error: signed integer overflow: 2146508096 + 976176 cannot be represented in type 'long int' +../../hacks/whirlwindwarp.c:450:53: runtime error: signed integer overflow: -2147483024 + -2146508096 cannot be represented in type 'long int' + +, on 32 bit (on 64 bit, this error does not happen). now.tv_sec is defined as time_t, on glibc +this is (signed) long int, and the size of long int is different between 32 bit +and 64 bit architecture. + +While now.tv_sec can be near 1<<31, now.tv_sec - st->lastframe.tv_sec should be usually small. +Avoid signed integer overflow by calculating now.tv_sec - st->lastframe.tv_sec first. +--- + hacks/whirlwindwarp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hacks/whirlwindwarp.c b/hacks/whirlwindwarp.c +index 843a1cf..e643b28 100644 +--- a/hacks/whirlwindwarp.c ++++ b/hacks/whirlwindwarp.c +@@ -447,7 +447,8 @@ whirlwindwarp_draw (Display *dpy, Window window, void *closure) + struct timeval now; + long timediff; + gettimeofday(&now, NULL); +- timediff = now.tv_sec*1000000 + now.tv_usec - st->lastframe.tv_sec*1000000 - st->lastframe.tv_usec; ++ /* timediff = now.tv_sec*1000000 + now.tv_usec - st->lastframe.tv_sec*1000000 - st->lastframe.tv_usec; */ ++ timediff = (now.tv_sec - st->lastframe.tv_sec) * 1000000 + now.tv_usec - st->lastframe.tv_usec; + if (timediff < utimeperframe) { + /* fprintf(stderr,"sleeping for %i\n",utimeperframe-timediff); */ + this_delay = (utimeperframe-timediff); +-- +1.9.3 + diff --git a/xscreensaver-5.30-1008-spotlight-currentTimeInMs-correctly-wrap-around-sign.patch b/xscreensaver-5.30-1008-spotlight-currentTimeInMs-correctly-wrap-around-sign.patch new file mode 100644 index 0000000..435232b --- /dev/null +++ b/xscreensaver-5.30-1008-spotlight-currentTimeInMs-correctly-wrap-around-sign.patch @@ -0,0 +1,74 @@ +From e40bd7d54dccd0a96d7fdc20d4df77eef85e37d7 Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Tue, 16 Sep 2014 12:21:08 +0900 +Subject: [PATCH 1008/1009] spotlight/currentTimeInMs: correctly wrap around + signed + +gcc49 sanitizer detects the following error: + +../../hacks/spotlight.c:82:24: runtime error: signed integer overflow: 1410836017 * 1000 cannot be represented in type 'long int' +../../hacks/spotlight.c:224:7: runtime error: signed integer overflow: 2086744590 + 1523019844 cannot be represented in type 'long int' + +, on 32 bit (but not on 64 bit). This is very alike whirlwindwarp case, +both uses gettimeofday() result. But unlike whirlwindwarp case, here we +cannot substract nearly same number beforehand for currentTimeInMs(), +so just forcely wrap around correctly. +Note that the result is long int, so here we need not use 1000.0. + +Also, the return value of currentTimeInMs() is used in onestep(), +and here another signed integer overflow happens. Wrap int value +also here. +--- + hacks/spotlight.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hacks/spotlight.c b/hacks/spotlight.c +index a47e55c..3f51953 100644 +--- a/hacks/spotlight.c ++++ b/hacks/spotlight.c +@@ -22,6 +22,7 @@ + + /* #define DEBUG */ + #include ++#include + #include "screenhack.h" + + #define MINX 0.0 +@@ -73,13 +74,15 @@ static long + currentTimeInMs(struct state *st) + { + struct timeval curTime; ++ unsigned long ret_unsigned; + #ifdef GETTIMEOFDAY_TWO_ARGS + struct timezone tz = {0,0}; + gettimeofday(&curTime, &tz); + #else + gettimeofday(&curTime); + #endif +- return curTime.tv_sec*1000 + curTime.tv_usec/1000.0; ++ ret_unsigned = curTime.tv_sec *1000U + curTime.tv_usec / 1000; ++ return (ret_unsigned <= LONG_MAX) ? ret_unsigned : -1 - (long)(ULONG_MAX - ret_unsigned); + } + + +@@ -197,6 +200,7 @@ static void + onestep (struct state *st, Bool first_p) + { + long now; ++ unsigned long now_unsigned; + + if (st->img_loader) /* still loading */ + { +@@ -221,7 +225,8 @@ onestep (struct state *st, Bool first_p) + + st->s = st->radius *4 ; /* s = width of buffer */ + +- now = currentTimeInMs(st) + st->off; ++ now_unsigned = (unsigned long) currentTimeInMs(st) + st->off; ++ now = (now_unsigned <= LONG_MAX) ? now_unsigned : -1 - (long)(ULONG_MAX - now_unsigned); + + /* find new x,y */ + st->x = ((1 + sin(((double)now) / X_PERIOD * 2. * M_PI))/2.0) +-- +1.9.3 + diff --git a/xscreensaver-5.30-1009-zoom-currentTimeInMs-correctly-wrap-around-signed-in.patch b/xscreensaver-5.30-1009-zoom-currentTimeInMs-correctly-wrap-around-signed-in.patch new file mode 100644 index 0000000..a88bdc6 --- /dev/null +++ b/xscreensaver-5.30-1009-zoom-currentTimeInMs-correctly-wrap-around-signed-in.patch @@ -0,0 +1,68 @@ +From b832d2a7c1a8b283c786eeb08e499586b273fcf0 Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Tue, 16 Sep 2014 12:25:34 +0900 +Subject: [PATCH 1009/1009] zoom/currentTimeInMs: correctly wrap around signed + integer + +gcc49 sanitizer detects the following error: + +../../hacks/zoom.c:65:24: runtime error: signed integer overflow: 1410836128 * 1000 cannot be represented in type 'long int' +../../hacks/zoom.c:182:7: runtime error: signed integer overflow: 1883607393 + 2086855482 cannot be represented in type 'int' + +, on 32 bit (but not on 64 bit). This is almost the same as +spotlight case (for signed integer overflow by currentTimeInMs). +Fix these in the same way as spotlight. +--- + hacks/zoom.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hacks/zoom.c b/hacks/zoom.c +index e2c4203..18dd1d6 100644 +--- a/hacks/zoom.c ++++ b/hacks/zoom.c +@@ -11,6 +11,7 @@ + */ + + #include ++#include + #include "screenhack.h" + + #ifndef MIN +@@ -56,13 +57,15 @@ struct state { + static long currentTimeInMs(struct state *st) + { + struct timeval curTime; ++ unsigned long ret_unsigned; + #ifdef GETTIMEOFDAY_TWO_ARGS + struct timezone tz = {0,0}; + gettimeofday(&curTime, &tz); + #else + gettimeofday(&curTime); + #endif +- return curTime.tv_sec*1000 + curTime.tv_usec/1000.0; ++ ret_unsigned = curTime.tv_sec *1000U + curTime.tv_usec / 1000; ++ return (ret_unsigned <= LONG_MAX) ? ret_unsigned : -1 - (long)(ULONG_MAX - ret_unsigned); + } + + static void * +@@ -153,6 +156,7 @@ zoom_draw (Display *dpy, Window window, void *closure) + unsigned x, y, i, j; + + long now; ++ unsigned long now_unsigned; + + if (st->img_loader) /* still loading */ + { +@@ -179,7 +183,8 @@ zoom_draw (Display *dpy, Window window, void *closure) + #define nrnd(x) (random() % (x)) + + now = currentTimeInMs(st); +- now += st->sinusoid_offset; /* don't run multiple screens in lock-step */ ++ now_unsigned = (unsigned long) now + st->sinusoid_offset; /* don't run multiple screens in lock-step */ ++ now = (now_unsigned <= LONG_MAX) ? now_unsigned : -1 - (long)(ULONG_MAX - now_unsigned); + + /* find new x,y */ + st->tlx = ((1. + sin(((double)now) / X_PERIOD * 2. * M_PI))/2.0) +-- +1.9.3 + diff --git a/xscreensaver-5.30-1010-tessellimage-tessellate-return-immediately-when-nthr.patch b/xscreensaver-5.30-1010-tessellimage-tessellate-return-immediately-when-nthr.patch new file mode 100644 index 0000000..fcd0c60 --- /dev/null +++ b/xscreensaver-5.30-1010-tessellimage-tessellate-return-immediately-when-nthr.patch @@ -0,0 +1,103 @@ +From 17f130d0d91b9c25fc602d42fd2f5f004d87aced Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Fri, 19 Sep 2014 02:27:16 +0900 +Subject: [PATCH] tessellimage/tessellate: return immediately when nthreshes is + zero + +tessellimage raised SIGABRT (not SIGSEGV) like below (the line number +may differ slightly): + +$ gdb ./hacks/tessellimage core.29445 +GNU gdb (GDB) Fedora 7.8-20.fc21 +Copyright (C) 2014 Free Software Foundation, Inc. +... +... +Core was generated by `./hacks/tessellimage -geom 1200x800'. +Program terminated with signal SIGABRT, Aborted. +#0 0x000000380fa35907 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 +55 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); +Missing separate debuginfos, use: debuginfo-install libICE-1.0.9-2.fc21.x86_64 libSM-1.2.2-2.fc21.x86_64 libXau-1.0.8-4.fc21.x86_64 libXext-1.3.3-2.fc21.x86_64 libXmu-1.1.2-2.fc21.x86_64 libXt-1.1.4-10.fc21.x86_64 libuuid-2.25.1-0.1.fc21.x86_64 libxcb-1.10-3.fc21.x86_64 +(gdb) bt +#0 0x000000380fa35907 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 +#1 0x000000380fa3756a in __GI_abort () at abort.c:89 +#2 0x0000000000404d90 in tessellate (st=st@entry=0x1876f60) at ../../hacks/tessellimage.c:649 +#3 0x0000000000405655 in tessellimage_draw (dpy=0x1867230, window=, closure=0x1876f60) at ../../hacks/tessellimage.c:850 +#4 0x0000000000402c60 in run_screenhack_table (ft=0x60c400 , window2=, window=88080385, dpy=0x1867230) at ../../hacks/screenhack.c:553 +#5 main (argc=1, argv=) at ../../hacks/screenhack.c:925 +(gdb) up 2 +#2 0x0000000000404d90 in tessellate (st=st@entry=0x1876f60) at ../../hacks/tessellimage.c:649 +649 if (nv != vsize) abort(); +(gdb) li +644 p[nv].z = px; +645 nv++; +646 } +647 } +648 +649 if (nv != vsize) abort(); +650 +651 qsort (p, nv, sizeof(*p), delaunay_xyzcompare); +652 if (delaunay (nv, p, v, &ntri)) +653 { +(gdb) p nv +$1 = 8 +(gdb) p vsize +$2 = 109 +(gdb) p *st +$3 = {dpy = 0x1867230, window = 88080385, xgwa = {x = 2, y = 25, width = 1200, height = 800, border_width = 0, depth = 24, visual = 0x1871730, root = 129, class = 1, bit_gravity = 1, win_gravity = 1, backing_store = 0, + backing_planes = 4294967295, backing_pixel = 0, save_under = 0, colormap = 34, map_installed = 1, map_state = 0, all_event_masks = 13238287, your_event_mask = 4325391, do_not_propagate_mask = 8204, override_redirect = 0, + screen = 0x1861d70}, wgc = 0x185d4a0, pgc = 0x185d550, delay = 30000, outline_p = 1, cache_p = 1, fill_p = 1, duration = 120, duration2 = 0.40000000000000002, max_depth = 30000, start_time = 1410872325.368192, + start_time2 = 1410872325.368192, img = 0x1c218b0, delta = 0x185d320, image = 88081364, output = 0, deltap = 0, nthreshes = 0, threshes = {21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 4, 3, 2, 6, 5, 4, + 0 }, vsizes = {101, 275, 432, 534, 647, 810, 1195, 1757, 2458, 3179, 4095, 5183, 6682, 8693, 11127, 14511, 18945, 25020, 6509, 12393, 29906, 7446, 11751, 22464, 0 }, thresh = 0, + dthresh = 1, cache = {0 }, img_loader = 0x0, geom = {x = 0, y = 0, width = 1200, height = 800}, button_down_p = 0} +(gdb) p st->thresh +$4 = 0 +(gdb) p st->nthreshes +$5 = 0 +(gdb) quit + +So when in analyze() st->nthreshes got zero, no numbers are registered in +st->threshes or st->vsizes. With this state, in tessellate() any strange +result can happen, as st->thresh, threshold = st->threshes[st->thresh], +vsize = st->vsizes[st->thresh] all point to meaningless values. + +So to aviod this abort(), make tessellate() return immediately +after creating gc when analyze() result is bad and so st->nthreshes is zero, +then in tessellimage_draw() just show the original image using st->image, +not st->output which tessellate() would normally create (creating gc in +tessellimage() is needed for showing original image in tessellimage_draw()) +--- + hacks/tessellimage.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hacks/tessellimage.c b/hacks/tessellimage.c +index b930622..d018f0c 100644 +--- a/hacks/tessellimage.c ++++ b/hacks/tessellimage.c +@@ -543,6 +543,9 @@ tessellate (struct state *st) + st->pgc = XCreateGC(st->dpy, st->image, GCFunction, &gcv); + } + ++ if (! st->nthreshes) return; ++ ++ + /* If duration2 has expired, switch to the next threshold. */ + + if (! st->button_down_p) +@@ -856,6 +859,14 @@ tessellimage_draw (Display *dpy, Window window, void *closure) + 0, 0, st->delta->width, st->delta->height, + (st->xgwa.width - st->delta->width) / 2, + (st->xgwa.height - st->delta->height) / 2); ++ else if (!st->nthreshes) ++ XCopyArea (st->dpy, ++ st->image, ++ st->window, st->wgc, ++ 0, 0, st->xgwa.width, st->xgwa.height, ++ 0, ++ 0); ++ + + DONE: + return st->delay; +-- +2.1.0 + diff --git a/xscreensaver.spec b/xscreensaver.spec index 334f9c3..29d186c 100644 --- a/xscreensaver.spec +++ b/xscreensaver.spec @@ -10,12 +10,13 @@ %define split_getimage 1 %endif -%define fedora_rel 3 +%define fedora_rel 4 %global use_clang_as_cc 0 %global use_clang_analyze 0 %global use_cppcheck 0 %global use_gcc_strict_sanitize 0 +%global use_gcc_trap_on_sanitize 0 %undefine extrarel %if 0%{?fedora} @@ -76,8 +77,20 @@ Patch52: xscreensaver-5.12-tests-miscfix.patch # # Patch with git format-patch format # gcc49 sanitizer fix +Patch1001: xscreensaver-5.30-1001-analogtv.c-fastrnd-wrap-signed-integer-correctly.patch +Patch1002: xscreensaver-5.30-1002-analogtv_setup_frame-clip-too-large-double-value-for.patch +Patch1003: xscreensaver-5.30-1003-flame-recurse-use-fabs-for-double-value.patch +Patch1004: xscreensaver-5.30-1004-rd-bomb-pixack_frame-avoid-integer-overflow.patch +Patch1005: xscreensaver-5.30-1005-abstractile-_pattern-make-gridx-y-signed.patch # gcc49 sanitizer fix for xscreensaver-demo wrt memmove usage on de_stringify Patch1006: xscreensaver-5.30-1006-demo-Gtk-conf-de_stringify-fix-memmove-usage.patch +# gcc49 sanitizer fix +Patch1007: xscreensaver-5.30-1007-whirlwindwarp_draw-avoid-signed-integer-overflow-for.patch +Patch1008: xscreensaver-5.30-1008-spotlight-currentTimeInMs-correctly-wrap-around-sign.patch +Patch1009: xscreensaver-5.30-1009-zoom-currentTimeInMs-correctly-wrap-around-signed-in.patch +# tessellimage/tessellate: return immediately when nthreshes is zero +Patch1010: xscreensaver-5.30-1010-tessellimage-tessellate-return-immediately-when-nthr.patch + # Patches end Requires: xscreensaver-base = %{epoch}:%{version}-%{release} Requires: xscreensaver-extras = %{epoch}:%{version}-%{release} @@ -326,7 +339,16 @@ rm -f driver/XScreenSaver_ad.h %patch52 -p1 %__git commit -m "%PATCH52_desc" -a +%__cat %PATCH1001 | %__git am +%__cat %PATCH1002 | %__git am +%__cat %PATCH1003 | %__git am +%__cat %PATCH1004 | %__git am +%__cat %PATCH1005 | %__git am %__cat %PATCH1006 | %__git am +%__cat %PATCH1007 | %__git am +%__cat %PATCH1008 | %__git am +%__cat %PATCH1009 | %__git am +%__cat %PATCH1010 | %__git am change_option(){ set +x @@ -512,6 +534,9 @@ export CFLAGS="$(echo $CFLAGS | sed -e 's|-fstack-protector-strong|-fstack-prote %if 0%{?use_gcc_strict_sanitize} export CC="gcc -fsanitize=address -fsanitize=undefined" +%if 0%{?use_gcc_trap_on_sanitize} +export CC="$CC -fsanitize-undefined-trap-on-error" +%endif %endif CONFIG_OPTS="--prefix=%{_prefix} --with-pam --without-shadow --without-kerberos" @@ -967,6 +992,10 @@ exit 0 %endif %changelog +* Tue Sep 23 2014 Mamoru TASAKA - 1:5.30-4 +- tessellimage/tessellate: return immediately when nthreshes is zero +- Bunch of signed integer overflow fixes + * Mon Sep 15 2014 Mamoru TASAKA - 1:5.30-3 - gcc49 sanitizer fix for xscreensaver-demo wrt memmove usage on de_stringify