diff options
author | Shreesh Adiga <16567adigashreesh@gmail.com> | 2021-09-26 13:43:34 +0530 |
---|---|---|
committer | Dudemanguy <random342@airmail.cc> | 2022-10-11 17:11:07 +0000 |
commit | e97819f88e451623a397b79d101497205fe849f9 (patch) | |
tree | 44d260d33415cf179262e1a611125fa4d0b36b50 /sub/draw_bmp.c | |
parent | 064059e6c36329e1b1fd567d0efdfbaf13ec53c4 (diff) | |
download | mpv-e97819f88e451623a397b79d101497205fe849f9.tar.bz2 mpv-e97819f88e451623a397b79d101497205fe849f9.tar.xz |
draw_bmp: fix out of bounds access in mark_rect
When the width is exactly a multiple of SLICE_W (currently 256),
heap buffer overflow is reported by Address Sanitizer. So adjust
the maximum index for the line array accordingly.
Diffstat (limited to 'sub/draw_bmp.c')
-rw-r--r-- | sub/draw_bmp.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sub/draw_bmp.c b/sub/draw_bmp.c index 37e57a1991..2765ceb759 100644 --- a/sub/draw_bmp.c +++ b/sub/draw_bmp.c @@ -260,8 +260,8 @@ static void mark_rect(struct mp_draw_sub_cache *p, int x0, int y0, int x1, int y assert(x0 >= 0 && x0 <= x1 && x1 <= p->w); assert(y0 >= 0 && y0 <= y1 && y1 <= p->h); - int sx0 = x0 / SLICE_W; - int sx1 = x1 / SLICE_W; + const int sx0 = x0 / SLICE_W; + const int sx1 = MPMIN(x1 / SLICE_W, p->s_w - 1); for (int y = y0; y < y1; y++) { struct slice *line = &p->slices[y * p->s_w]; @@ -270,7 +270,7 @@ static void mark_rect(struct mp_draw_sub_cache *p, int x0, int y0, int x1, int y struct slice *s1 = &line[sx1]; s0->x0 = MPMIN(s0->x0, x0 % SLICE_W); - s1->x1 = MPMAX(s1->x1, x1 % SLICE_W); + s1->x1 = MPMAX(s1->x1, ((x1 - 1) % SLICE_W) + 1); if (s0 != s1) { s0->x1 = SLICE_W; |