Opened 11 years ago
Closed 11 years ago
#541 closed defect/bug (fixed)
an integer overflow in clip_line_code can cause infinite loop
| Reported by: | timo lindfors | Owned by: | KaZeR |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | core | Version: | git master |
| Severity: | Keywords: | ||
| Cc: |
Description
Steps to reproduce:
1) wget http://downloads.cloudmade.com/europe/finland/finland.osm.bz2
2) bunzip2 finland.osm.bz2
3) osm2navit -i finland.osm finland.bin
Expected results:
3) osm2navit creates finland.bin
Actual results:
3) osm2navit does not exit.
More info:
1) It seems that if clip_line_code is called with
*p1 = {x = 2812500, y = 9466386}
*r = {l = {x = 2851562, y = 9492187}, h = {x = 2890625, y = 9531250}}
*p2 = {x = 2862940, y = 9531250}
an integer overflow will happen on line
p1->y+=(r->l.x-p1->x)*dy/dx;
since (2851562 - 2812500) * 64864 is larger than 2**31 and thus overflows and results in a negative value.
2) One solution seems to be to make dx and dy of type "long long".
3) I am using the debian testing maptool package 0.2.0~svn2897+dfsg.1-1 on amd64.
Change History (1)
comment:1 Changed 11 years ago by kazer
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Fixed in rev 2944. Thank you!