Re: [Tuxpaint-devel] tuxpaint crash: read past a 141056-byte malloc

[Bill K. <nb...@so...>]

On Fri, Nov 30, 2007 at 12:13:59AM -0500, Albert Cahalan wrote:
> ==1937== Thread 1:
> ==1937== Conditional jump or move depends on uninitialised value(s)
> ==1937==    at 0x406B17B: (within /usr/lib/libSDL-1.2.so.0.11.1)
> ==1937==    by 0x406BB09: (within /usr/lib/libSDL-1.2.so.0.11.1)
> ==1937==    by 0x4037EF6: SDL_PumpEvents (in /usr/lib/libSDL-1.2.so.0.11.1)
> ==1937==    by 0x4038406: SDL_PollEvent (in /usr/lib/libSDL-1.2.so.0.11.1)
> ==1937==    by 0x804D7ED: mySDL_PollEvent (in /home/olpc/tuxpaint/tuxpaint)
> ==1937==
> ==1937== Invalid read of size 8
> ==1937==    at 0x40639FD: (within /usr/lib/libSDL-1.2.so.0.11.1)
> ==1937==    by 0xE7: ???
> ==1937==  Address 0x97B8E60 is 8 bytes after a block of size 141,056 alloc'd
> ==1937==    at 0x40224E5: malloc (vg_replace_malloc.c:149)
> ==1937==    by 0x405BC83: SDL_CreateRGBSurface (in
> /usr/lib/libSDL-1.2.so.0.11.1)
> ==1937==    by 0x804E62A: thumbnail2 (in /home/olpc/tuxpaint/tuxpaint)
> ==1937==
> ==1937== Invalid read of size 8
> ==1937==    at 0x4063A04: (within /usr/lib/libSDL-1.2.so.0.11.1)
> ==1937==    by 0xE7: ???
> ==1937==  Address 0x97B8E58 is 0 bytes after a block of size 141,056 alloc'd
> ==1937==    at 0x40224E5: malloc (vg_replace_malloc.c:149)
> ==1937==    by 0x405BC83: SDL_CreateRGBSurface (in
> /usr/lib/libSDL-1.2.so.0.11.1)
> ==1937==    by 0x804E62A: thumbnail2 (in /home/olpc/tuxpaint/tuxpaint)
> 
> My screen size is 1200x900, 2 bytes per pixel.
> This is 32-bit x86 with MMX enabled.

So if I'm reading this right, thumbnail2 is reading past where it should.

What options are you building with?

  NO_BILINEAR
  LOW_QUALITY_THUMBNAILS

getpixel/putpixel should be making sure we don't read/write beyond the
surface, so I'm not yet sure what's going on here.

Have you investigated any more since?  Thx!

-- 
-bill!
bi...@ne...
http://www.newbreedsoftware.com/