fix OOB array index in circle segment calculation #5317
Conversation
Actually not exactly. We fixed something very close to that, and I would say it is extremely likely that your case would be fixed by our change, but I'm not 100% sure since they are done at different level of code. |
|
Sorry, I do not recall the exact scenario it happened with. Somehow it got called with a negative value. It would be good for this to be fixed regardless, as it did happen in normal usage. The end users were calling an abstraction via Lua bind. I noticed some of those bounds checks up the call stack and I'm unaware if those had existed back a few months ago. It could've fixed the issue but I am now unable to reproduce it. If you really think the bounds check on this function is unnecessary, then sure... but make it more verbose that this never receives a negative value. |
|
In the current code it would make a difference if private/internal What puzzle me is how precisely the PR you are suggesting would fix anything even in the old version. Your fix protects against NEGATIVE radiuses but all calls to |
|
Turns out this could repro which an excessively large floating point value (e.g FLT_MAX or even e.g. 100000000.0f) which would break during the downcast to int. See #6657. Merged same fix. |
Version/Branch of Dear ImGui:
masterBack-end/Renderer/Compiler/OS:
Windows, Dx11
My Issue/Question:
A few months ago in production this crash happened to our users as an extremely rare edge case.
The crash ceased to occur when adding the bounds check before the array is indexed.
Screenshots/Video:
I did not archive anything from that time.
Standalone, minimal, complete and verifiable example:
Call
_CalcCircleAutoSegmentCountwith something negative and watch what happens.P.S. I did not go and try to see if this function receiving a negative value was a side effect of another part of the codebase. I did what was necessary to fix the crash and did not observe any consequences of adding the bounds check.