From 98622623a0865c525ede12ef5759ab6f5b3af407 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Andre <jp.andre@samsung.com>
Date: Wed, 18 Oct 2017 21:40:01 +0900
Subject: [PATCH] evas: Prevent crash with image_data_get

If the image has no data, it may get an allocated surface of 1x1 but it
is not sane to return the pointer to that data, as the user would expect
a normally sized image (in my case, 1920x1080).

I do not fully understand what is going on with this image. But at least
this transforms a crash into a simple ERR in ~/.xessions-errors

Two similar crashes happened:
 - SIGSEGV by writing data outside of the image data
 - abort() in free() because the malloc metadata has been overridden
   when writing outside of the image data (newly allocated 1x1).

Fixes T5957

@fix
---
 .../evas/engines/gl_generic/evas_engine.c        | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/modules/evas/engines/gl_generic/evas_engine.c b/src/modules/evas/engines/gl_generic/evas_engine.c
index a8ef044d51..a6b229a5c6 100644
--- a/src/modules/evas/engines/gl_generic/evas_engine.c
+++ b/src/modules/evas/engines/gl_generic/evas_engine.c
@@ -701,11 +701,9 @@ _rotate_image_data(Render_Engine_GL_Generic *re, Evas_GL_Image *im1)
    RGBA_Draw_Context *dc;
    int w, h;
 
-   gl_context = gl_generic_context_find(re, 1);
 
    w = im1->w;
    h = im1->h;
-   alpha = eng_image_alpha_get(re, im1);
 
    if (im1->orient == EVAS_IMAGE_ORIENT_90 ||
        im1->orient == EVAS_IMAGE_ORIENT_270 ||
@@ -716,6 +714,10 @@ _rotate_image_data(Render_Engine_GL_Generic *re, Evas_GL_Image *im1)
         h = im1->w;
      }
 
+   if ((w * h) <= 0) return NULL;
+
+   alpha = eng_image_alpha_get(re, im1);
+   gl_context = gl_generic_context_find(re, 1);
    im2 = evas_gl_common_image_surface_new(gl_context, w, h, alpha, EINA_FALSE);
 
    evas_gl_common_context_target_surface_set(gl_context, im2);
@@ -906,8 +908,18 @@ eng_image_data_get(void *engine, void *image, int to_write, DATA32 **image_data,
 #endif
      error = evas_cache_image_load_data(&im->im->cache_entry);
 
+   if (err) *err = error;
    if (error != EVAS_LOAD_ERROR_NONE)
      {
+        if (!im->im->image.data ||
+            (im->im->cache_entry.allocated.w != (unsigned) im->w) ||
+            (im->im->cache_entry.allocated.h != (unsigned) im->h))
+          {
+             ERR("GL image has no source data, failed to get pixel data");
+             *image_data = NULL;
+             return im;
+          }
+
         if (tofree && !to_write)
           goto rotate_image;
      }