diff options
| author | Johannes Hofmann <Johannes.Hofmann@gmx.de> | 2010-10-15 22:26:14 +0200 |
|---|---|---|
| committer | Johannes Hofmann <Johannes.Hofmann@gmx.de> | 2010-10-15 22:26:14 +0200 |
| commit | 4212c27815f8cf5c8bc51fb5b8643fc420c47473 (patch) | |
| tree | fe0ce13264a76c3489e841537ac46f8f7b728466 | |
| parent | 21d55d46536fcd702a5ae742554e8d353ba64cf9 (diff) | |
avoid integer overflow in Polygon::linesCross0()
The product of the two zOfVectorProduct() values could overflow.
Check both values for different sign instead.
Testcase:
<html> <body>
<img src="doesnt_matter.gif" width="250" height="700" usemap="#themap">
<map name="themap">
<area shape="poly" coords="1,250, 245,270, 223,513"
href="http://www.dillo.org">
</map>
</body> </html>
Reported-by and Testcase-by: corvid <corvid@lavabit.com>
| -rw-r--r-- | dw/types.cc | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/dw/types.cc b/dw/types.cc index 630cc8d9..047e7705 100644 --- a/dw/types.cc +++ b/dw/types.cc @@ -177,9 +177,10 @@ bool Polygon::linesCross0(int ax1, int ay1, int ax2, int ay2, /** TODO Some more description */ // If the scalar product is 0, it means that one point is on the second // line, so we check for <= 0, not < 0. - return - zOfVectorProduct (ax1 - bx1, ay1 - by1, bx2 - bx1, by2 - by1) * - zOfVectorProduct (ax2 - bx1, ay2 - by1, bx2 - bx1, by2 - by1) <= 0; + int z1 = zOfVectorProduct (ax1 - bx1, ay1 - by1, bx2 - bx1, by2 - by1); + int z2 = zOfVectorProduct (ax2 - bx1, ay2 - by1, bx2 - bx1, by2 - by1); + + return (z1 <= 0 && z2 >= 0) || (z1 >= 0 && z2 <= 0); } /** |