bezier-curve.cpp:112: When i==pts.size(), pts[i] is out of bounds

Bug #812003 reported by Reijo Tomperi on 2011-07-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Medium
Jon A. Cruz

Bug Description

In inkscape/src/2geom/bezier-curve.cpp, there is a loop where variable "i" gets value that is equal to the size of a vector causing out of bounds situation below where pts[i] is used. (revision 10464)

BezierCurve::BezierCurve(std::vector<Point> const &pts)
{
    inner = D2<Bezier>(Bezier::Order(pts.size()-1), Bezier::Order(pts.size()-1));
    for (unsigned d = 0; d < 2; ++d) {
        for(unsigned i = 0; i <= pts.size(); i++)
            inner[d][i] = pts[i][d];
    }
}

There is no real life test case for this, this was just spotted from the code when testing Cppcheck against inkscape, but it looks quite dangerous.

su_v (suv-lp) on 2011-07-18
tags: added: cppcheck
su_v (suv-lp) on 2011-07-19
Changed in inkscape:
assignee: nobody → Jon A. Cruz (jon-joncruz)
status: New → Confirmed
Changed in inkscape:
status: Confirmed → In Progress
Changed in inkscape:
importance: Undecided → Medium
status: In Progress → Fix Committed
milestone: none → 0.49
Johan Engelen (johanengelen) wrote :

Jon, do you have commit access to lib2geom?
If not committed to 2geom, the fix will be lost upon the next update.

ScislaC (scislac) wrote :

Johan,

No he's not... and mgsloan and myself are still pending to get commit access. We want to help contribute. :) Johan, if you could port the change upstream that would rock (attached).

On 19-7-2011 19:54, ScislaC wrote:
> No he's not... and mgsloan and myself are still pending to get commit
> access. We want to help contribute. :)

Hard to believe :(

I committed the fix upstream.

Bryce Harrington (bryce) on 2015-02-21
Changed in inkscape:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers