Bug 453332

Summary: Crash on Panning with Equirectangular Projection
Product: [Applications] marble Reporter: Ernesto De Stefano <erndestefano>
Component: generalAssignee: marble-bugs
Status: RESOLVED FIXED    
Severity: crash CC: rahn
Priority: NOR    
Version: 21.12.2   
Target Milestone: ---   
Platform: Other   
OS: All   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: FullBackTrack and ScreenShot when crash occurs with Qt Debug view.

Description Ernesto De Stefano 2022-05-03 10:37:47 UTC
Created attachment 148533 [details]
FullBackTrack and ScreenShot when crash occurs with Qt Debug view.

SUMMARY
If a Equirectangular Projection has been set. The crash occurs, when you try to pan the map in order to move it under or down the vertical center of the widget.

***
NOTE: If you are reporting a crash, please try to attach a backtrace with debug symbols.
See https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***


STEPS TO REPRODUCE
1. Set "Equirectangular Projection"
2. Pan down/Up the map until the limit


OBSERVED RESULT
The crash occurs

EXPECTED RESULT
As for other projection the crash does not occurs.

SOFTWARE/OS VERSIONS
Windows: 
Widnows 10
Linux/KDE Plasma: 
Centos 7
Qt Version: 
Qt 5.15.2

ADDITIONAL INFORMATION
The crash is due a buffer overflow occurs in Marble code on method:
void StackedTile::pixel(int x , int y) const;
This method is called with y < 0 (when pan down) or y > buffer size (when pan up).
Comment 1 Torsten Rahn 2023-04-22 17:50:38 UTC
Yes, I can reproduce this:

1 Marble::StackedTile::pixel                             StackedTile.cpp                   100 0x7ffff773532f 
2 Marble::ScanlineTextureMapperContext::pixelValueApprox ScanlineTextureMapperContext.cpp  322 0x7ffff77207cb 
3 Marble::EquirectScanlineTextureMapper::RenderJob::run  EquirectScanlineTextureMapper.cpp 219 0x7ffff7722e5d 
4 QThreadPoolThread::run()                                                                     0x7ffff51f766a 
5 QThreadPrivate::start(void *)                                                                0x7ffff51f3b35 
6 start_thread                                           pthread_create.c                  463 0x7ffff34976db 
7 clone                                                  clone.S                           95  0x7ffff48cf61f 


	Lokale Variablen		
		this	@0x7fff684782f0	Marble::StackedTile
			[Marble::Tile]	@0x7fff684782f0	Marble::Tile
			jumpTable32	0x0	uint**
			jumpTable8	"########%%%%%%%%$$$$$$$$&&&&&&&&%%%%%%%%$$$$$$$$""""""""""""""""$$$$$$$$""""""""%%%%%%%%$$$$$$$$&&&&"... (unknown length)	uchar*
			m_byteCount	912600	int
			m_depth	8	int
			m_isGrayscale	true	bool
			m_isUsed	true	bool
			m_resultImage	(675x675)	QImage
			m_tiles	<ein Element>	QVector<QSharedPointer<Marble::TextureTile> >
		x	15	int
		y	675	int
	Inspector		
	Ausdrücke		
	Rückgabewert		
	Tooltip		
		m_resultImage	(675x675)	QImage
Comment 2 Torsten Rahn 2023-04-22 18:11:26 UTC
Hm, I haven't been able to trigger this when choosing "HighQuality" rendering during Animations (See Settings) - this uses void ScanlineTextureMapperContext::pixelValueApproxF instead of void ScanlineTextureMapperContext::pixelValueApprox.
So I guess that this happens due to a rounding error which calculates the position to be outside the "last/first" tile in a column.
Since nextTile() will still "stay" on the same tile we will reach out of bounds.
The safe and lazy solution would be to correct the Y value to be still within the bounds.
I wonder whether this issue could also be triggered for the x-case
Comment 3 Torsten Rahn 2023-04-22 20:16:51 UTC
Git commit 2508968372c752daed3b120e482cb006c0e24e89 by Torsten Rahn.
Committed on 22/04/2023 at 20:16.
Pushed by rahn into branch 'master'.

Fix Crash on Panning with Equirectangular Projection

M  +7    -0    src/lib/marble/ScanlineTextureMapperContext.cpp

https://invent.kde.org/education/marble/commit/2508968372c752daed3b120e482cb006c0e24e89