fix a fence post error validating a combing mode number

author Tony Cook <tony@develop-help.com>

Tue, 1 Jan 2019 01:11:43 +0000 (12:11 +1100)

committer Tony Cook <tony@develop-help.com>

Tue, 1 Jan 2019 01:11:43 +0000 (12:11 +1100)
author Tony Cook <tony@develop-help.com>
Tue, 1 Jan 2019 01:11:43 +0000 (12:11 +1100)
committer Tony Cook <tony@develop-help.com>
Tue, 1 Jan 2019 01:11:43 +0000 (12:11 +1100)
diff --git a/Changes b/Changes

index 5cf5aedd6c84011ce16a731768dc1adfcc9b9704..d073d7fd4791cd41936c66683483dce6d7db30b2 100644 (file)
--- a/Changes
+++ b/Changes
@@ -44,6 +44,11 @@ Coverity finally finished a build, fix a few problems:
     implementation of the is_bilevel() method could leave the fetched
     colors uninitialized.  Added a return value check.
  
+ - a numeric combining mode of 13 (eg. as a parameter to
+   Imager::Fill->new())could cause an invalid array read in
+   i_get_combine() due to a fencepost error in validating the combine
+   number.
+
  Imager 1.008 - 31 Dec 2018
  ============
  
diff --git a/render.im b/render.im

index 947dcb211ac7688160522fea57f02434fd91d9d8..46211d0816c35815070b816e4e7adb029a35a3d4 100644 (file)
--- a/render.im
+++ b/render.im
@@ -748,7 +748,7 @@ static const IM_FILL_COMBINE_F IM_SUFFIX(combines)[] =
  
  void i_get_combine(int combine, i_fill_combine_f *color_func, 
                     i_fill_combinef_f *fcolor_func) {
-  if (combine < 0 || combine > sizeof(combines_8) / sizeof(*combines_8))
+  if (combine < 0 || combine >= sizeof(combines_8) / sizeof(*combines_8))
      combine = 0;
  
    *color_func = combines_8[combine];
author	Tony Cook <tony@develop-help.com>
	Tue, 1 Jan 2019 01:11:43 +0000 (12:11 +1100)
committer	Tony Cook <tony@develop-help.com>
	Tue, 1 Jan 2019 01:11:43 +0000 (12:11 +1100)
Changes		patch \| blob \| blame \| history
render.im		patch \| blob \| blame \| history