[9fans] bug in topng(1)

[9fans] bug in topng(1)

[yaroslav]

There's a bug in topng(1) which under certain circumstances may result in
broken output image.  When such an image then is fed to png(1)
diagnostics like the following are produced:

	term% png /tmp/1.png
	png: unknown filtering scheme 49

(The filtering scheme number may differ.)

This happens when at the beginning of an input line (z->x == 0) there
are only room for exactly one pixel in output buffer (b+pixwids == e),
at /sys/src/cmd/jpg/writepng.c:/^zread/+/while/.

Since every scan line should start with a filter algorithm ID it
consumes a byte in the buffer, leaving no room for the pixel.  The
"pixels" variable turns zero, no pixels are emitted, yet the alg byte
slips out.  During next run of zread() with empty buffer, the alg byte
is emitted again, causing permanent skew of output bytes.

The proposed fix is to modify the loop condition so the loop won't
proceed if there are not enough room for at least one pixel plus a
byte for the filter alg ID.

Submitted /n/sources/patch/topng-extrabyte/.

- yk

Re: [9fans] bug in topng(1)

[erik quanstrom]

patch submitted,
	/n/sources/patch/pngfencepost

- erik

Re: [9fans] bug in topng(1)

[cinap_lenrek]

correct. the Bread() is basically sound. must'v been drunk when coming
up with it.

--
cinap

Re: [9fans] bug in topng(1)

[erik quanstrom]

On Mon Dec 24 12:46:29 EST 2012, cinap_lenrek@gmx.de wrote:
> fixed in 9front, its a off by one in the image size calculation.

can you explain what the difference between Bread and Breadn is?

it looks to me that they have they both return count on a full read,
nread on a partial read after having gotten a return of 0/-1 from a
read but with some bytes available, and 0/-1 if there are no bytes
available and the (first) read returned 0/-1.

- erik

Re: [9fans] bug in topng(1)

[cinap_lenrek]

fixed in 9front, its a off by one in the image size calculation.

--
cinap

Re: [9fans] bug in topng(1)

[Erik Quanstrom]

yaroslav <yarikos@gmail.com> wrote:

>There's a bug in topng(1) which under certain circumstances may result in
>broken output image.  When such an image then is fed to png(1)
>diagnostics like the following are produced:
>
>	term% png /tmp/1.png
>	png: unknown filtering scheme 49
>
>(The filtering scheme number may differ.)
>
>This happens when at the beginning of an input line (z->x == 0) there
>are only room for exactly one pixel in output buffer (b+pixwids == e),
>at /sys/src/cmd/jpg/writepng.c:/^zread/+/while/.
>
>Since every scan line should start with a filter algorithm ID it
>consumes a byte in the buffer, leaving no room for the pixel.  The
>"pixels" variable turns zero, no pixels are emitted, yet the alg byte
>slips out.  During next run of zread() with empty buffer, the alg byte
>is emitted again, causing permanent skew of output bytes.
>
>The proposed fix is to modify the loop condition so the loop won't
>proceed if there are not enough room for at least one pixel plus a
>byte for the filter alg ID.
>
>Submitted /n/sources/patch/topng-extrabyte/.
>
>- yk
>
>
>