[gl2ps] gl2ps bug in gl2psParseStipplePattern
Fletcher, Ben
ben.fletcher at dsto.defence.gov.au
Mon Oct 30 03:12:43 CET 2006
Hi,
I have encountered a problem with gl2psParseStipplePattern.
If the stipple pattern is 0xaaaa, then i will finish the for loop listed
below being equal to 5, when its maximum value should be only 4.
/* compute the on/off pixel sequence (since the PostScript
specification allows for at most 11 elements in the on/off array,
we limit ourselves to 5 couples of on/off states) */
n = 0;
for(i = 0; i < 5; i++){
while(n < 16 && !tmp[n]){ off[i]++; n++; }
while(n < 16 && tmp[n]){ on[i]++; n++; }
if(n >= 15) break;
}
This causes the following loop to read outside the bounds of the on[] and
off[] arrays, and leads to *nb=12, which causes an invalid postscript output
/* store the on/off array from right to left, starting with off
pixels (the longest possible array is: [on4 off4 on3 off3 on2
off2 on1 off1 on0 off0]) */
*nb = 0;
for(n = i; n >= 0; n--){
array[(*nb)++] = factor * on[n];
array[(*nb)++] = factor * off[n];
}
ben