diff options
| author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2005-10-01 17:53:38 +0000 |
|---|---|---|
| committer | Matthieu Herrb <matthieu.herrb@laas.fr> | 2005-10-01 17:53:38 +0000 |
| commit | e270e6394b623b48d416feeef0c3856f2e303c8d (patch) | |
| tree | 840be6808151822f9d962b582392f3173ed5b81d /fb/fbbltone.c | |
| parent | 54b2a14f0fa4397f3e9ae75dd63d5cacfdd778eb (diff) | |
Bug #3822: out of bound reads in fbbltone and fbblt (Mark Kettenis, Thierry
Deval).
Diffstat (limited to 'fb/fbbltone.c')
| -rw-r--r-- | fb/fbbltone.c | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/fb/fbbltone.c b/fb/fbbltone.c index 48f998651..b271318d1 100644 --- a/fb/fbbltone.c +++ b/fb/fbbltone.c @@ -52,12 +52,12 @@ #define LoadBits {\ if (leftShift) { \ - bitsRight = *src++; \ + bitsRight = (src < srcEnd ? *src++ : 0); \ bits = (FbStipLeft (bitsLeft, leftShift) | \ FbStipRight(bitsRight, rightShift)); \ bitsLeft = bitsRight; \ } else \ - bits = *src++; \ + bits = (src < srcEnd ? *src++ : 0); \ } #ifndef FBNOPIXADDR @@ -151,6 +151,7 @@ fbBltOne (FbStip *src, FbBits bgxor) { const FbBits *fbBits; + FbBits *srcEnd; int pixelsPerDst; /* dst pixels per FbBits */ int unitsPerSrc; /* src patterns per FbStip */ int leftShift, rightShift; /* align source with dest */ @@ -181,7 +182,12 @@ fbBltOne (FbStip *src, return; } #endif - + + /* + * Do not read past the end of the buffer! + */ + srcEnd = src + height * srcStride; + /* * Number of destination units in FbBits == number of stipple pixels * used each time @@ -232,11 +238,11 @@ fbBltOne (FbStip *src, /* * Get pointer to stipple mask array for this depth */ - fbBits = NULL; /* unused */ + fbBits = 0; /* unused */ if (pixelsPerDst <= 8) fbBits = fbStippleTable[pixelsPerDst]; #ifndef FBNOPIXADDR - fbLane = NULL; + fbLane = 0; if (transparent && fgand == 0 && dstBpp >= 8) fbLane = fbLaneTable[dstBpp]; #endif @@ -532,7 +538,7 @@ const FbBits fbStipple24Bits[3][1 << FbStip24Len] = { stip = FbLeftStipBits(bits, len); \ } else { \ stip = FbLeftStipBits(bits, remain); \ - bits = *src++; \ + bits = (src < srcEnd ? *src++ : 0); \ __len = (len) - remain; \ stip = FbMergePartStip24Bits(stip, FbLeftStipBits(bits, __len), \ remain, __len); \ @@ -583,7 +589,7 @@ fbBltOne24 (FbStip *srcLine, FbBits bgand, FbBits bgxor) { - FbStip *src; + FbStip *src, *srcEnd; FbBits leftMask, rightMask, mask; int nlMiddle, nl; FbStip stip, bits; @@ -593,6 +599,11 @@ fbBltOne24 (FbStip *srcLine, int rot0, rot; int nDst; + /* + * Do not read past the end of the buffer! + */ + srcEnd = srcLine + height * srcStride; + srcLine += srcX >> FB_STIP_SHIFT; dst += dstX >> FB_SHIFT; srcX &= FB_STIP_MASK; |