RepoMirrors
/
mpv
mirror of https://github.com/mpv-player/mpv
1
0
Fork 0
Code Issues Releases Wiki Activity

draw_bmp: fix out of bounds access in mark_rect 

When the width is exactly a multiple of SLICE_W (currently 256),
heap buffer overflow is reported by Address Sanitizer. So adjust
the maximum index for the line array accordingly.
This commit is contained in:
Shreesh Adiga 2021-09-26 13:43:34 +05:30 committed by Dudemanguy
parent 064059e6c3
commit e97819f88e
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sub/draw_bmp.c
View File

@ -260,8 +260,8 @@ static void mark_rect(struct mp_draw_sub_cache *p, int x0, int y0, int x1, int y
assert(x0 >= 0 && x0 <= x1 && x1 <= p->w);
assert(y0 >= 0 && y0 <= y1 && y1 <= p->h);
int sx0 = x0 / SLICE_W;
int sx1 = x1 / SLICE_W;
const int sx0 = x0 / SLICE_W;
const int sx1 = MPMIN(x1 / SLICE_W, p->s_w - 1);
for (int y = y0; y < y1; y++) {
struct slice *line = &p->slices[y * p->s_w];
@ -270,7 +270,7 @@ static void mark_rect(struct mp_draw_sub_cache *p, int x0, int y0, int x1, int y
struct slice *s1 = &line[sx1];
s0->x0 = MPMIN(s0->x0, x0 % SLICE_W);
s1->x1 = MPMAX(s1->x1, x1 % SLICE_W);
s1->x1 = MPMAX(s1->x1, ((x1 - 1) % SLICE_W) + 1);
if (s0 != s1) {
s0->x1 = SLICE_W;