From db6cbc77f99c447f4862cb8f7955a3c7d6e64950 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <slouken@libsdl.org>
Date: Sun, 18 Jul 2010 10:26:46 -0700
Subject: [PATCH] Better fix for bug 936

Check to for overruns before they happen instead of afterwards.
---
 src/video/SDL_stretch.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/video/SDL_stretch.c b/src/video/SDL_stretch.c
index 818d0dedc..09a9a24df 100644
--- a/src/video/SDL_stretch.c
+++ b/src/video/SDL_stretch.c
@@ -80,7 +80,7 @@ generate_rowbytes(int src_w, int dst_w, int bpp)
 
     int i;
     int pos, inc;
-    unsigned char *eip;
+    unsigned char *eip, *fence;
     unsigned char load, store;
 
     /* See if we need to regenerate the copy buffer */
@@ -116,14 +116,21 @@ generate_rowbytes(int src_w, int dst_w, int bpp)
     pos = 0x10000;
     inc = (src_w << 16) / dst_w;
     eip = copy_row;
+    fence = copy_row + sizeof(copy_row)-2;
     for (i = 0; i < dst_w; ++i) {
         while (pos >= 0x10000L) {
+            if (eip == fence) {
+                return -1;
+            }
             if (bpp == 2) {
                 *eip++ = PREFIX16;
             }
             *eip++ = load;
             pos -= 0x10000L;
         }
+        if (eip == fence) {
+            return -1;
+        }
         if (bpp == 2) {
             *eip++ = PREFIX16;
         }
@@ -132,11 +139,6 @@ generate_rowbytes(int src_w, int dst_w, int bpp)
     }
     *eip++ = RETURN;
 
-    /* Verify that we didn't overflow (too late!!!) */
-    if (eip > (copy_row + sizeof(copy_row))) {
-        SDL_SetError("Copy buffer overflow");
-        return (-1);
-    }
 #ifdef HAVE_MPROTECT
     /* Make the code executable but not writeable */
     if (mprotect(copy_row, sizeof(copy_row), PROT_READ | PROT_EXEC) < 0) {