Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

Better fix for bug 936

Check to for overruns before they happen instead of afterwards.
  • Loading branch information
slouken committed Jul 18, 2010
1 parent b47d782 commit db6cbc77f99c447f4862cb8f7955a3c7d6e64950
Showing with 8 additions and 6 deletions.
  1. +8 −6 src/video/SDL_stretch.c
@@ -80,7 +80,7 @@ generate_rowbytes(int src_w, int dst_w, int bpp)

int i;
int pos, inc;
unsigned char *eip;
unsigned char *eip, *fence;
unsigned char load, store;

/* See if we need to regenerate the copy buffer */
@@ -116,14 +116,21 @@ generate_rowbytes(int src_w, int dst_w, int bpp)
pos = 0x10000;
inc = (src_w << 16) / dst_w;
eip = copy_row;
fence = copy_row + sizeof(copy_row)-2;
for (i = 0; i < dst_w; ++i) {
while (pos >= 0x10000L) {
if (eip == fence) {
return -1;
}
if (bpp == 2) {
*eip++ = PREFIX16;
}
*eip++ = load;
pos -= 0x10000L;
}
if (eip == fence) {
return -1;
}
if (bpp == 2) {
*eip++ = PREFIX16;
}
@@ -132,11 +139,6 @@ generate_rowbytes(int src_w, int dst_w, int bpp)
}
*eip++ = RETURN;

/* Verify that we didn't overflow (too late!!!) */
if (eip > (copy_row + sizeof(copy_row))) {
SDL_SetError("Copy buffer overflow");
return (-1);
}
#ifdef HAVE_MPROTECT
/* Make the code executable but not writeable */
if (mprotect(copy_row, sizeof(copy_row), PROT_READ | PROT_EXEC) < 0) {

0 comments on commit db6cbc7

Please sign in to comment.