33 lines
1.1 KiB
Plaintext
33 lines
1.1 KiB
Plaintext
$OpenBSD: patch-modules_codec_cdg_c,v 1.2 2011/04/12 22:40:20 sthen Exp $
|
|
|
|
Fix multiple heap-based buffer overflows. CVE-2011-0021
|
|
|
|
--- modules/codec/cdg.c.orig Wed Jan 12 22:04:27 2011
|
|
+++ modules/codec/cdg.c Wed Jan 12 22:06:35 2011
|
|
@@ -255,7 +255,13 @@ static int DecodeTileBlock( decoder_sys_t *p_cdg, cons
|
|
for( x = 0; x < 6; x++ )
|
|
{
|
|
const int idx = ( p_data[4+y] >> (5-x) ) & 0x01;
|
|
- uint8_t *p = &p_cdg->p_screen[(sy+y)*CDG_SCREEN_PITCH+(sx+x)];
|
|
+
|
|
+ int index = (sy+y)*CDG_SCREEN_PITCH+(sx+x);
|
|
+ if( index >= CDG_SCREEN_PITCH*CDG_SCREEN_HEIGHT )
|
|
+ return 0;
|
|
+
|
|
+ uint8_t *p = &p_cdg->p_screen[index];
|
|
+
|
|
if( doXor )
|
|
*p ^= p_color[idx];
|
|
else
|
|
@@ -320,8 +326,8 @@ static int DecodeScroll( decoder_sys_t *p_cdg, const u
|
|
|
|
if( b_copy )
|
|
{
|
|
- dy = ( dy + CDG_SCREEN_HEIGHT ) % CDG_SCREEN_HEIGHT;
|
|
- dy = ( dy + CDG_SCREEN_WIDTH ) % CDG_SCREEN_WIDTH;
|
|
+ dy %= CDG_SCREEN_HEIGHT;
|
|
+ dx %= CDG_SCREEN_WIDTH;
|
|
}
|
|
else
|
|
{
|