[5047] in Athena Bugs
7.0 Xibm
daemon@ATHENA.MIT.EDU (John Carr)
Sun Jun 3 23:28:31 1990
To: bugs@ATHENA.MIT.EDU, bug-x11r4@ATHENA.MIT.EDU
Date: Sun, 03 Jun 90 23:28:10 EDT
From: John Carr <jfc@ATHENA.MIT.EDU>
RT 7.0E
Large images (e.g. X window dumps) often crash the megapel server. Stack
trace looks like:
_.blt() from _.mpelDrawMonoImage+0x166
_.mpelDrawMonoImage(r2=0xf4c12660, r3=0x10134804, r4= 00000000,
r5=0xf4c12600, 0x000001e0, 0x0000000e, 0x00000003,
0x000000ff) from _.mpelUnnaturalMonoImage+0x7e
_.mpelUnnaturalMonoImage(r2=0xf4c12660, 0x000000f4, r4= 00000000,
0x000000f4, 0x000001ff, 0x0000000e, 0x00000003,
0x000000ff) from _.mpelDrawMonoImage+0x7e
_.mpelDrawMonoImage(r2=0xf4c12660, r3=0x10134804, r4= 00000000,
r5=0xf4c12600, 0x000001ff, 0x0000000e, 0x00000003,
0x000000ff) from _.ppcStipple+0x132
_.ppcStipple(0x100a9a24, r3=0x10134804, r4= 00000000,
r5=0xf4c12600, 00000000, 00000000, 0x00000400,
0x000001ff, 00000000, 00000000) from _.ppcAreaFill+0x14e
_.ppcAreaFill(r2=0xf4c12660, r3=0x10134804, r4= 00000000,
r5=0xf4c12600) from _.ppcPolyFillRect+0x1c2
_.ppcPolyFillRect(0x000000f4, r3=0x10134804, r4= 00000000,
r5=0xf4c12600) from _.miOpqStipDrawable+0x202
_.miOpqStipDrawable(r2=0xf4c12660, r3=0x10134804, 0x100251f4,
0x0006c088, 00000000, 0x00000400, 0x000001ff,
00000000, 00000000) from _.miPutImage+0x70
_.miPutImage(r2=0xf4c12660, r3=0x10134804, r4= 00000000,
0x10031e84, 00000000, 0x00000400, 0x000001ff,
00000000, 00000000, 0x10113c6c) from _.ProcPutImage+0x224
_.ProcPutImage(r2=0xf4c12660) from _.Dispatch+0x12e
_.Dispatch() from _.main+0x3ba
_.main( 00000000, 00000000) from start+0x2e
start(r2=0xf4c12660, r3=0x10134804, r4= 00000000)
I think this will fix it:
*** ref/mpelMono.c Thu Nov 9 22:52:15 1989
--- mpelMono.c Sun Jun 3 23:21:53 1990
***************
*** 197,203 ****
bytesPerBlock = totwidthBytes * linesPerBlock ;
while ( bytes > 0 ) {
! mpelDrawMonoByteImage( data, x, y, w, linesPerBlock, fg, alu, planes ) ;
y += linesPerBlock ;
data += bytesPerBlock ;
bytes -= bytesPerBlock ;
--- 197,208 ----
bytesPerBlock = totwidthBytes * linesPerBlock ;
while ( bytes > 0 ) {
! if (bytes < bytesPerBlock)
! mpelDrawMonoByteImage(data, x, y, w, bytes / totwidthBytes,
! fg, alu, planes);
! else
! mpelDrawMonoByteImage(data, x, y, w, linesPerBlock,
! fg, alu, planes);
y += linesPerBlock ;
data += bytesPerBlock ;
bytes -= bytesPerBlock ;
The bug is that this loop implicitly assumes that the block sizes it is
breaking the image into divide evenly the total size. When the image is
near the end of memory and the image size is not evenly divided by the
variable "bytesPerBlock", the copy image operation can run off the end of
memory.
