fixes buffer overflow in color in pasteTiles()

ricardoquesada · Jan 19, 2017 · a96ecac · a96ecac · ricardoquesada · Jan 19, 2017
1 parent cc1ca53
commit a96ecac
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/src/commands.cpp b/src/commands.cpp
@@ -101,6 +101,8 @@ PasteCommand::PasteCommand(State* state, int charIndex, const State::CopyRange&
     if (copyRange.type == State::CopyRange::CHARS || copyRange.type == State::CopyRange::TILES)
     {
         sizeToCopy = State::CHAR_BUFFER_SIZE + State::TILE_COLORS_BUFFER_SIZE;
+        Q_ASSERT(copyRange.bufferSize == sizeToCopy && "Invalid bufferSize");
+
         _copyBuffer = (quint8*)malloc(sizeToCopy);
         _origBuffer = (quint8*)malloc(sizeToCopy);
     }

diff --git a/src/state.cpp b/src/state.cpp
@@ -694,10 +694,11 @@ void State::_setMapSize(const QSize& mapSize)
     {
         const int newSizeInBytes = mapSize.width() * mapSize.height();
         quint8* newMap = (quint8*) malloc(newSizeInBytes);
+        Q_ASSERT(newMap && "No memory");
+
         for (int i=0; i<newSizeInBytes; ++i)
             newMap[i] = _tileIndex;
 
-        Q_ASSERT(newMap && "No memory");
 
         for (int row=0; row<mapSize.height(); ++row)
         {
@@ -984,8 +985,10 @@ void State::_pasteTiles(int charIndex, const CopyRange& copyRange, const quint8*
             int srcidx = (tileSrcIdx + i + srcskip) * interleavedFactorSrc;
             int dstidx = (tileDstIdx + i + dstskip) * interleavedFactorDst;
 
-            // copy colors
-            _tileColors[tileDstIdx + i + dstskip] = colorsBuffer[tileSrcIdx + i + srcskip];
+            int colorIdx = tileDstIdx + i + dstskip;
+            // avoid overflow
+            if (colorIdx < 256)
+                _tileColors[colorIdx] = colorsBuffer[tileSrcIdx + i + srcskip];
 
             // when interleaved, break the copy to prevent ugly artifacts
             if (_tileProperties.interleaved != 1 && dstidx >= (256 / tileSize))