From e270e6394b623b48d416feeef0c3856f2e303c8d Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Sat, 1 Oct 2005 17:53:38 +0000 Subject: Bug #3822: out of bound reads in fbbltone and fbblt (Mark Kettenis, Thierry Deval). --- fb/fbblt.c | 7 +++++-- fb/fbbltone.c | 25 ++++++++++++++++++------- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/fb/fbblt.c b/fb/fbblt.c index 131707dc6..c2617a718 100644 --- a/fb/fbblt.c +++ b/fb/fbblt.c @@ -271,8 +271,11 @@ fbBlt (FbBits *srcLine, if (startmask) { bits = FbScrLeft(bits1, leftShift); - bits1 = *src++; - bits |= FbScrRight(bits1, rightShift); + if (FbScrLeft(startmask, rightShift)) + { + bits1 = *src++; + bits |= FbScrRight(bits1, rightShift); + } FbDoLeftMaskByteMergeRop (dst, bits, startbyte, startmask); dst++; } diff --git a/fb/fbbltone.c b/fb/fbbltone.c index 48f998651..b271318d1 100644 --- a/fb/fbbltone.c +++ b/fb/fbbltone.c @@ -52,12 +52,12 @@ #define LoadBits {\ if (leftShift) { \ - bitsRight = *src++; \ + bitsRight = (src < srcEnd ? *src++ : 0); \ bits = (FbStipLeft (bitsLeft, leftShift) | \ FbStipRight(bitsRight, rightShift)); \ bitsLeft = bitsRight; \ } else \ - bits = *src++; \ + bits = (src < srcEnd ? *src++ : 0); \ } #ifndef FBNOPIXADDR @@ -151,6 +151,7 @@ fbBltOne (FbStip *src, FbBits bgxor) { const FbBits *fbBits; + FbBits *srcEnd; int pixelsPerDst; /* dst pixels per FbBits */ int unitsPerSrc; /* src patterns per FbStip */ int leftShift, rightShift; /* align source with dest */ @@ -181,7 +182,12 @@ fbBltOne (FbStip *src, return; } #endif - + + /* + * Do not read past the end of the buffer! + */ + srcEnd = src + height * srcStride; + /* * Number of destination units in FbBits == number of stipple pixels * used each time @@ -232,11 +238,11 @@ fbBltOne (FbStip *src, /* * Get pointer to stipple mask array for this depth */ - fbBits = NULL; /* unused */ + fbBits = 0; /* unused */ if (pixelsPerDst <= 8) fbBits = fbStippleTable[pixelsPerDst]; #ifndef FBNOPIXADDR - fbLane = NULL; + fbLane = 0; if (transparent && fgand == 0 && dstBpp >= 8) fbLane = fbLaneTable[dstBpp]; #endif @@ -532,7 +538,7 @@ const FbBits fbStipple24Bits[3][1 << FbStip24Len] = { stip = FbLeftStipBits(bits, len); \ } else { \ stip = FbLeftStipBits(bits, remain); \ - bits = *src++; \ + bits = (src < srcEnd ? *src++ : 0); \ __len = (len) - remain; \ stip = FbMergePartStip24Bits(stip, FbLeftStipBits(bits, __len), \ remain, __len); \ @@ -583,7 +589,7 @@ fbBltOne24 (FbStip *srcLine, FbBits bgand, FbBits bgxor) { - FbStip *src; + FbStip *src, *srcEnd; FbBits leftMask, rightMask, mask; int nlMiddle, nl; FbStip stip, bits; @@ -593,6 +599,11 @@ fbBltOne24 (FbStip *srcLine, int rot0, rot; int nDst; + /* + * Do not read past the end of the buffer! + */ + srcEnd = srcLine + height * srcStride; + srcLine += srcX >> FB_STIP_SHIFT; dst += dstX >> FB_SHIFT; srcX &= FB_STIP_MASK; -- cgit v1.2.3