HP observes an xyjBuffer overflow in dcLLFillerS.c when debugging customer application.

Please see file dcLLFillerS.c, method appendArc3 :

In the failure case , at the start of the method appendArc3 , the following
are values of variour variables.
 
steps=1 : diam=2 : p->xyjN=252 : x1=8 : y1=11 :x2=9 : y2=9 : x3=11 : y3=8 :
p->x0=8 : p->y0=13 i= 252

    The maximum limit for p->xyjN (i) should be 256 . But in the failure
case , the value of "i" goes to 258 . This happened when the following code
gets executed.

Before line 564 , value of "i" is 252. & it falls in the following if loop.
& get incremented to 258. which exceeds the buffer size by 2. So the
overflow happens.
Value of "i" needs to be checked before filling xyjBuffer .

   564 if (diam < oneU) { /* special case: very short cubic */
   565 if (x01 != 0 || y01 != 0) {
   566 p->xyjBuffer[i++] = (i8)x01;
   567 p->xyjBuffer[i++] = (i8)y01;
   568 }
   569 if (x12 != 0 || y12 != 0) {
   570 p->xyjBuffer[i++] = (i8)x12;
   571 p->xyjBuffer[i++] = (i8)y12;
   572 }
   573 if (x23 != 0 || y23 != 0) {
   574 p->xyjBuffer[i++] = (i8)x23;
   575 p->xyjBuffer[i++] = (i8)y23;
   576 }
   577 } else { /* trace the cubic */
   578 int d0x, d1x, d2x, d3x;

Unfortunately, there's no test case demonstrating the problem.
###@###.### 2005-04-14 23:34:14 GMT