From abcf1048e23525865c2ff43ce90bbdaa80524246 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Fri, 14 May 2021 13:06:15 +0200 Subject: [PATCH] cursor: fix crash with weird input files If a cursor file contains multiple images for the same size, this typically indicates an animation. The compositor weston uses wl_cursor_frame_and_duration to figure out at which time a specific image should be shown. The total delay is the sum of all image delays. But if all images have a delay of 0, the total delay is 0 as well. The code does not check for this special condition and triggers a floating point exception by eventually performing a modulo operation with 0. This, of course, could also happen if the sum of all image delays triggers an unsigned int overflow. But since a comment in the code already indicates that it does not try to "fix" handling of weird files, I would argue that it's "okay" if that happens. At least the program won't crash. Proof of Concept: install -D ~/.icons/poc/cursors base64 -d > ~/.icons/poc/cursors/left_ptr << EOF WGN1chAAAAAAAAEAAgAAAAIA/f8BAAAAKAAAAAIA/f8BAAAAKAAAACQAAAACAP3/AQAAAAEAAAAB AAAAAQAAAAEAAAABAAAAAAAAAAAAAAA= EOF cat > /tmp/weston.ini << EOF [shell] cursor-theme=poc EOF weston -c /tmp/weston.ini Signed-off-by: Tobias Stoeckmann --- cursor/wayland-cursor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cursor/wayland-cursor.c b/cursor/wayland-cursor.c index 4e2dc502..7da70141 100644 --- a/cursor/wayland-cursor.c +++ b/cursor/wayland-cursor.c @@ -475,7 +475,7 @@ wl_cursor_frame_and_duration(struct wl_cursor *_cursor, uint32_t time, uint32_t t; int i; - if (cursor->cursor.image_count == 1) { + if (cursor->cursor.image_count == 1 || cursor->total_delay == 0) { if (duration) *duration = 0; return 0;