frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug #3822: out of bound reads in fbbltone and fbblt (Mark Kettenis, Thierry 

Deval).
This commit is contained in:
Matthieu Herrb 2005-10-01 17:53:38 +00:00
parent 54b2a14f0f
commit e270e6394b
2 changed files with 23 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fb/fbblt.c
View File

@ -271,8 +271,11 @@ fbBlt (FbBits *srcLine,
if (startmask) if (startmask)
{ {
bits = FbScrLeft(bits1, leftShift); bits = FbScrLeft(bits1, leftShift);
if (FbScrLeft(startmask, rightShift))
{
bits1 = *src++; bits1 = *src++;
bits |= FbScrRight(bits1, rightShift); bits |= FbScrRight(bits1, rightShift);
}
FbDoLeftMaskByteMergeRop (dst, bits, startbyte, startmask); FbDoLeftMaskByteMergeRop (dst, bits, startbyte, startmask);
dst++; dst++;
} }

23
fb/fbbltone.c
View File

@ -52,12 +52,12 @@
#define LoadBits {\ #define LoadBits {\
if (leftShift) { \ if (leftShift) { \
bitsRight = *src++; \ bitsRight = (src < srcEnd ? *src++ : 0); \
bits = (FbStipLeft (bitsLeft, leftShift) | \ bits = (FbStipLeft (bitsLeft, leftShift) | \
FbStipRight(bitsRight, rightShift)); \ FbStipRight(bitsRight, rightShift)); \
bitsLeft = bitsRight; \ bitsLeft = bitsRight; \
} else \ } else \
bits = *src++; \ bits = (src < srcEnd ? *src++ : 0); \
} }
#ifndef FBNOPIXADDR #ifndef FBNOPIXADDR
@ -151,6 +151,7 @@ fbBltOne (FbStip *src,
FbBits bgxor) FbBits bgxor)
{ {
const FbBits *fbBits; const FbBits *fbBits;
FbBits *srcEnd;
int pixelsPerDst; /* dst pixels per FbBits */ int pixelsPerDst; /* dst pixels per FbBits */
int unitsPerSrc; /* src patterns per FbStip */ int unitsPerSrc; /* src patterns per FbStip */
int leftShift, rightShift; /* align source with dest */ int leftShift, rightShift; /* align source with dest */
@ -182,6 +183,11 @@ fbBltOne (FbStip *src,
} }
#endif #endif
/*
* Do not read past the end of the buffer!
*/
srcEnd = src + height * srcStride;
/* /*
* Number of destination units in FbBits == number of stipple pixels * Number of destination units in FbBits == number of stipple pixels
* used each time * used each time
@ -232,11 +238,11 @@ fbBltOne (FbStip *src,
/* /*
* Get pointer to stipple mask array for this depth * Get pointer to stipple mask array for this depth
*/ */
fbBits = NULL; /* unused */ fbBits = 0; /* unused */
if (pixelsPerDst <= 8) if (pixelsPerDst <= 8)
fbBits = fbStippleTable[pixelsPerDst]; fbBits = fbStippleTable[pixelsPerDst];
#ifndef FBNOPIXADDR #ifndef FBNOPIXADDR
fbLane = NULL; fbLane = 0;
if (transparent && fgand == 0 && dstBpp >= 8) if (transparent && fgand == 0 && dstBpp >= 8)
fbLane = fbLaneTable[dstBpp]; fbLane = fbLaneTable[dstBpp];
#endif #endif
@ -532,7 +538,7 @@ const FbBits fbStipple24Bits[3][1 << FbStip24Len] = {
stip = FbLeftStipBits(bits, len); \ stip = FbLeftStipBits(bits, len); \
} else { \ } else { \
stip = FbLeftStipBits(bits, remain); \ stip = FbLeftStipBits(bits, remain); \
bits = *src++; \ bits = (src < srcEnd ? *src++ : 0); \
__len = (len) - remain; \ __len = (len) - remain; \
stip = FbMergePartStip24Bits(stip, FbLeftStipBits(bits, __len), \ stip = FbMergePartStip24Bits(stip, FbLeftStipBits(bits, __len), \
remain, __len); \ remain, __len); \
@ -583,7 +589,7 @@ fbBltOne24 (FbStip *srcLine,
FbBits bgand, FbBits bgand,
FbBits bgxor) FbBits bgxor)
{ {
FbStip *src; FbStip *src, *srcEnd;
FbBits leftMask, rightMask, mask; FbBits leftMask, rightMask, mask;
int nlMiddle, nl; int nlMiddle, nl;
FbStip stip, bits; FbStip stip, bits;
@ -593,6 +599,11 @@ fbBltOne24 (FbStip *srcLine,
int rot0, rot; int rot0, rot;
int nDst; int nDst;
/*
* Do not read past the end of the buffer!
*/
srcEnd = srcLine + height * srcStride;
srcLine += srcX >> FB_STIP_SHIFT; srcLine += srcX >> FB_STIP_SHIFT;
dst += dstX >> FB_SHIFT; dst += dstX >> FB_SHIFT;
srcX &= FB_STIP_MASK; srcX &= FB_STIP_MASK;