Fix possible buffer overflow when loading raw surfaces.

OpenXcom · Oct 13, 2018 · a4d28b7 · a4d28b7
1 parent 13049d6
commit a4d28b7
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 7 deletions.
diff --git a/src/Engine/Surface.cpp b/src/Engine/Surface.cpp
@@ -222,7 +222,8 @@ void Surface::rawCopy(const std::vector<T> &src)
 	// Copy whole thing
 	if (_surface->pitch == _surface->w)
 	{
-		std::copy(src.begin(), src.end(), (T*)_surface->pixels);
+		size_t end = std::min(size_t(_surface->w * _surface->h * _surface->format->BytesPerPixel), src.size());
+		std::copy(src.begin(), src.begin() + end, (T*)_surface->pixels);
 	}
 	// Copy row by row
 	else

diff --git a/src/Engine/Surface.h b/src/Engine/Surface.h
@@ -141,7 +141,7 @@ class Surface
 	SDL_Rect *getCrop();
 	/**
 	 * Changes the color of a pixel in the surface, relative to
-	 * the top-left corner of the surface.
+	 * the top-left corner of the surface. Invalid positions are ignored.
 	 * @param x X position of the pixel.
 	 * @param y Y position of the pixel.
 	 * @param pixel New color for the pixel.
@@ -176,7 +176,7 @@ class Surface
 	 * Returns the color of a specified pixel in the surface.
 	 * @param x X position of the pixel.
 	 * @param y Y position of the pixel.
-	 * @return Color of the pixel.
+	 * @return Color of the pixel, zero if the position is invalid.
 	 */
 	Uint8 getPixel(int x, int y) const
 	{
@@ -194,10 +194,6 @@ class Surface
 	 */
 	Uint8 *getRaw(int x, int y) const
 	{
-		if (x < 0 || x >= getWidth() || y < 0 || y >= getHeight())
-		{
-			return 0;
-		}
 		return (Uint8 *)_surface->pixels + (y * _surface->pitch + x * _surface->format->BytesPerPixel);
 	}
 	/**