changeset 4541:abb56f7699ea SDL-1.2

Fixed bug 936 Make sure that eip doesn't overflow the copy buffer beforehand. :)
author Sam Lantinga <slouken@libsdl.org>
date Sun, 18 Jul 2010 10:08:06 -0700
parents e978b888d87a
children d7cdc25af9a2
files src/video/SDL_stretch.c
diffstat 1 files changed, 5 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/video/SDL_stretch.c	Sun Jul 18 08:12:48 2010 -0700
+++ b/src/video/SDL_stretch.c	Sun Jul 18 10:08:06 2010 -0700
@@ -78,7 +78,7 @@
 
 	int i;
 	int pos, inc;
-	unsigned char *eip;
+	unsigned char *eip, *end;
 	unsigned char load, store;
 
 	/* See if we need to regenerate the copy buffer */
@@ -115,7 +115,8 @@
 	pos = 0x10000;
 	inc = (src_w << 16) / dst_w;
 	eip = copy_row;
-	for ( i=0; i<dst_w; ++i ) {
+	end = copy_row+sizeof(copy_row);
+	for ( i=0; i<dst_w && eip < end; ++i ) {
 		while ( pos >= 0x10000L ) {
 			if ( bpp == 2 ) {
 				*eip++ = PREFIX16;
@@ -132,8 +133,8 @@
 	*eip++ = RETURN;
 
 	/* Verify that we didn't overflow (too late!!!) */
-	if ( eip > (copy_row+sizeof(copy_row)) ) {
-		SDL_SetError("Copy buffer overflow");
+	if ( i < dst_w ) {
+		SDL_SetError("Copy buffer too small");
 		return(-1);
 	}
 #ifdef HAVE_MPROTECT