Skip to content

Commit c41616b

Browse files
hartworkhartwork
authored
Merge pull request #202 from Libvisual/infinite-fix-out-of-bounds-access
libvisual-plugins: Fix out-of-bounds access for actor "infinite"
2 parents 6cf6507 + 6780b8c commit c41616b

4 files changed

Lines changed: 317 additions & 117 deletions

File tree

libvisual-plugins/plugins/actor/infinite/display.c

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -159,18 +159,31 @@ static void _inf_compute_surface(InfinitePrivate *priv, t_interpol* vector_field
159159
#endif /* #if defined(VISUAL_ARCH_X86) || defined(VISUAL_ARCH_X86_64) */
160160
#endif /* #if 0 */
161161
} else {
162+
const uint8_t *ptr_pix_end = priv->surface1 + (priv->plugwidth * priv->plugheight);
163+
162164
for (j=0;j<priv->plugheight;j++) {
163165
for (i=0;i<priv->plugwidth;i++) {
164166
interpol = &vector_field[add_dest];
165-
add_src = (interpol->coord & 0xffff) * priv->plugwidth + (interpol->coord >> 16);
166-
ptr_pix = priv->surface1 + add_src;;
167+
const uint16_t y = interpol->coord & 0xffff;
168+
const uint16_t x = interpol->coord >> 16;
169+
(void)add_src;
170+
ptr_pix = priv->surface1 + y * priv->plugwidth + x;
171+
172+
color = ptr_pix[0] * (interpol->weight >> 24);
173+
174+
// right neigbor
175+
if (ptr_pix + 1 < ptr_pix_end)
176+
color += ptr_pix[1] * ((interpol->weight >> 16) & 0xFF);
177+
178+
// bottom neigbor
179+
if (ptr_pix + priv->plugwidth < ptr_pix_end)
180+
color += ptr_pix[priv->plugwidth] * ((interpol->weight >> 8) & 0xFF);
167181

168-
/* FIXME it does buffer overread here now and then */
182+
// bottom right neigbor
183+
if (ptr_pix + priv->plugwidth + 1 < ptr_pix_end)
184+
color += ptr_pix[priv->plugwidth + 1] * (interpol->weight & 0xFF);
169185

170-
color= (*(ptr_pix) * (interpol->weight >> 24)
171-
+*(ptr_pix + 1) * ((interpol->weight & 0xFFFFFF) >> 16)
172-
+*(ptr_pix + priv->plugwidth) * ((interpol->weight & 0xFFFF) >> 8)
173-
+*(ptr_pix + priv->plugwidth + 1) * (interpol->weight & 0xFF)) >> 8;
186+
color >>= 8;
174187
/*
175188
color= (*(ptr_pix) // * (interpol->weight >> 24)
176189
+*(ptr_pix + 1) // * ((interpol->weight & 0xFFFFFF) >> 16)
@@ -429,9 +442,7 @@ void _inf_init_display(InfinitePrivate *priv)
429442
priv->plugwidth = priv->plugwidth;
430443
priv->plugheight = priv->plugheight;
431444

432-
/* Yes we alloc a bit more because there is some odd race buffer overrun which i (the porter)
433-
* am to lazy to debug */
434-
allocsize = (priv->plugwidth * priv->plugheight) + (priv->plugwidth * 2);
445+
allocsize = priv->plugwidth * priv->plugheight;
435446

436447
priv->surface1 = (uint8_t *) visual_mem_malloc0(allocsize);
437448
priv->surface2 = (uint8_t *) visual_mem_malloc0(allocsize);

0 commit comments

Comments
 (0)