Bug #3822: out of bound reads in fbbltone and fbblt (Mark Kettenis, Thierry

Deval).
author: Matthieu Herrb <matthieu.herrb@laas.fr> 2005-10-01 17:53:38 +0000
committer: Matthieu Herrb <matthieu.herrb@laas.fr> 2005-10-01 17:53:38 +0000
commit: e270e6394b623b48d416feeef0c3856f2e303c8d (patch)
tree: 840be6808151822f9d962b582392f3173ed5b81d
parent: 54b2a14f0fa4397f3e9ae75dd63d5cacfdd778eb (diff)
2 files changed, 23 insertions, 9 deletions
diff --git a/fb/fbblt.c b/fb/fbblt.c
index 131707dc6..c2617a718 100644
--- a/fb/fbblt.c
+++ b/fb/fbblt.c
@@ -271,8 +271,11 @@ fbBlt (FbBits   *srcLine,
 		if (startmask)
 		{
 		    bits = FbScrLeft(bits1, leftShift); 
-		    bits1 = *src++;
-		    bits |= FbScrRight(bits1, rightShift);
+		    if (FbScrLeft(startmask, rightShift))
+		    {
+			bits1 = *src++;
+			bits |= FbScrRight(bits1, rightShift);
+		    }
 		    FbDoLeftMaskByteMergeRop (dst, bits, startbyte, startmask);
 		    dst++;
 		}
diff --git a/fb/fbbltone.c b/fb/fbbltone.c
index 48f998651..b271318d1 100644
--- a/fb/fbbltone.c
+++ b/fb/fbbltone.c
@@ -52,12 +52,12 @@
 
 #define LoadBits {\
     if (leftShift) { \
-	bitsRight = *src++; \
+	bitsRight = (src < srcEnd ? *src++ : 0); \
 	bits = (FbStipLeft (bitsLeft, leftShift) | \
 		FbStipRight(bitsRight, rightShift)); \
 	bitsLeft = bitsRight; \
     } else \
-	bits = *src++; \
+	bits = (src < srcEnd ? *src++ : 0); \
 }
     
 #ifndef FBNOPIXADDR
@@ -151,6 +151,7 @@ fbBltOne (FbStip    *src,
 	  FbBits    bgxor)
 {
     const FbBits    *fbBits;
+    FbBits	    *srcEnd;
     int		    pixelsPerDst;		/* dst pixels per FbBits */
     int		    unitsPerSrc;		/* src patterns per FbStip */
     int		    leftShift, rightShift;	/* align source with dest */
@@ -181,7 +182,12 @@ fbBltOne (FbStip    *src,
 	return;
     }
 #endif
-    
+
+    /*
+     * Do not read past the end of the buffer!
+     */
+    srcEnd = src + height * srcStride;
+
     /*
      * Number of destination units in FbBits == number of stipple pixels
      * used each time
@@ -232,11 +238,11 @@ fbBltOne (FbStip    *src,
     /*
      * Get pointer to stipple mask array for this depth
      */
-    fbBits = NULL;	/* unused */
+    fbBits = 0;	/* unused */
     if (pixelsPerDst <= 8)
 	fbBits = fbStippleTable[pixelsPerDst];
 #ifndef FBNOPIXADDR
-    fbLane = NULL;
+    fbLane = 0;
     if (transparent && fgand == 0 && dstBpp >= 8)
 	fbLane = fbLaneTable[dstBpp];
 #endif
@@ -532,7 +538,7 @@ const FbBits	fbStipple24Bits[3][1 << FbStip24Len] = {
 	stip = FbLeftStipBits(bits, len); \
     } else { \
 	stip = FbLeftStipBits(bits, remain); \
-	bits = *src++; \
+	bits = (src < srcEnd ? *src++ : 0); \
 	__len = (len) - remain; \
 	stip = FbMergePartStip24Bits(stip, FbLeftStipBits(bits, __len), \
 				     remain, __len); \
@@ -583,7 +589,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    FbBits	bgand,
 	    FbBits	bgxor)
 {
-    FbStip	*src;
+    FbStip	*src, *srcEnd;
     FbBits	leftMask, rightMask, mask;
     int		nlMiddle, nl;
     FbStip	stip, bits;
@@ -593,6 +599,11 @@ fbBltOne24 (FbStip	*srcLine,
     int		rot0, rot;
     int		nDst;
     
+    /*
+     * Do not read past the end of the buffer!
+     */
+    srcEnd = srcLine + height * srcStride;
+
     srcLine += srcX >> FB_STIP_SHIFT;
     dst += dstX >> FB_SHIFT;
     srcX &= FB_STIP_MASK;
author	Matthieu Herrb <matthieu.herrb@laas.fr>	2005-10-01 17:53:38 +0000
committer	Matthieu Herrb <matthieu.herrb@laas.fr>	2005-10-01 17:53:38 +0000
commit	e270e6394b623b48d416feeef0c3856f2e303c8d (patch)
tree	840be6808151822f9d962b582392f3173ed5b81d
parent	54b2a14f0fa4397f3e9ae75dd63d5cacfdd778eb (diff)