Fixed bug 936 SDL-1.2
authorSam Lantinga <slouken@libsdl.org>
Sun, 18 Jul 2010 10:08:06 -0700
branchSDL-1.2
changeset 4541abb56f7699ea
parent 4540 e978b888d87a
child 4543 d7cdc25af9a2
Fixed bug 936

Make sure that eip doesn't overflow the copy buffer beforehand. :)
src/video/SDL_stretch.c
     1.1 --- a/src/video/SDL_stretch.c	Sun Jul 18 08:12:48 2010 -0700
     1.2 +++ b/src/video/SDL_stretch.c	Sun Jul 18 10:08:06 2010 -0700
     1.3 @@ -78,7 +78,7 @@
     1.4  
     1.5  	int i;
     1.6  	int pos, inc;
     1.7 -	unsigned char *eip;
     1.8 +	unsigned char *eip, *end;
     1.9  	unsigned char load, store;
    1.10  
    1.11  	/* See if we need to regenerate the copy buffer */
    1.12 @@ -115,7 +115,8 @@
    1.13  	pos = 0x10000;
    1.14  	inc = (src_w << 16) / dst_w;
    1.15  	eip = copy_row;
    1.16 -	for ( i=0; i<dst_w; ++i ) {
    1.17 +	end = copy_row+sizeof(copy_row);
    1.18 +	for ( i=0; i<dst_w && eip < end; ++i ) {
    1.19  		while ( pos >= 0x10000L ) {
    1.20  			if ( bpp == 2 ) {
    1.21  				*eip++ = PREFIX16;
    1.22 @@ -132,8 +133,8 @@
    1.23  	*eip++ = RETURN;
    1.24  
    1.25  	/* Verify that we didn't overflow (too late!!!) */
    1.26 -	if ( eip > (copy_row+sizeof(copy_row)) ) {
    1.27 -		SDL_SetError("Copy buffer overflow");
    1.28 +	if ( i < dst_w ) {
    1.29 +		SDL_SetError("Copy buffer too small");
    1.30  		return(-1);
    1.31  	}
    1.32  #ifdef HAVE_MPROTECT