Opened 11 years ago

Closed 11 years ago

#541 closed defect/bug (fixed)

an integer overflow in clip_line_code can cause infinite loop

Reported by: timo lindfors Owned by: KaZeR
Priority: major Milestone:
Component: core Version: git master
Severity: Keywords:
Cc:

Description

Steps to reproduce:
1) wget http://downloads.cloudmade.com/europe/finland/finland.osm.bz2
2) bunzip2 finland.osm.bz2
3) osm2navit -i finland.osm finland.bin

Expected results:
3) osm2navit creates finland.bin

Actual results:
3) osm2navit does not exit.

More info:
1) It seems that if clip_line_code is called with

*p1 = {x = 2812500, y = 9466386}
*r = {l = {x = 2851562, y = 9492187}, h = {x = 2890625, y = 9531250}}
*p2 = {x = 2862940, y = 9531250}

an integer overflow will happen on line

 p1->y+=(r->l.x-p1->x)*dy/dx;

since (2851562 - 2812500) * 64864 is larger than 2**31 and thus overflows and results in a negative value.
2) One solution seems to be to make dx and dy of type "long long".
3) I am using the debian testing maptool package 0.2.0~svn2897+dfsg.1-1 on amd64.

Change History (1)

comment:1 Changed 11 years ago by kazer

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in rev 2944. Thank you!

Note: See TracTickets for help on using tickets.