diff options
| author | fvogel <fvogelnew1@free.fr> | 2020-06-27 09:31:06 (GMT) |
|---|---|---|
| committer | fvogel <fvogelnew1@free.fr> | 2020-06-27 09:31:06 (GMT) |
| commit | d9d32ac66f73c6fffe70bdd8d545a2a9cfba0ed6 (patch) | |
| tree | 314d5b701fd22e19571256401744a036814c442b /generic/tkImgPhoto.c | |
| parent | de48dfbea8668eebfb7f3e3ae1dce17a9c2e9594 (diff) | |
| parent | 02e4268c7f9c10b52f306dc56769f91dafd357a1 (diff) | |
| download | tk-d9d32ac66f73c6fffe70bdd8d545a2a9cfba0ed6.zip tk-d9d32ac66f73c6fffe70bdd8d545a2a9cfba0ed6.tar.gz tk-d9d32ac66f73c6fffe70bdd8d545a2a9cfba0ed6.tar.bz2 | |
Fix [5c51be6411]: Buffer over-read in Tk_PhotoPutBlock() and Tk_PhotoPutZoomedBlock(). Patch from Christopher Chavez.
Diffstat (limited to 'generic/tkImgPhoto.c')
| -rw-r--r-- | generic/tkImgPhoto.c | 40 |
1 files changed, 32 insertions, 8 deletions
diff --git a/generic/tkImgPhoto.c b/generic/tkImgPhoto.c index 5b6d0d3..f875a25 100644 --- a/generic/tkImgPhoto.c +++ b/generic/tkImgPhoto.c @@ -2812,8 +2812,21 @@ Tk_PhotoPutBlock( if (sourceBlock.pixelPtr >= masterPtr->pix32 && sourceBlock.pixelPtr <= masterPtr->pix32 + masterPtr->width * masterPtr->height * 4) { - sourceBlock.pixelPtr = (unsigned char *)attemptckalloc(sourceBlock.height - * sourceBlock.pitch); + /* + * Fix 5c51be6411: avoid reading + * + * (sourceBlock.pitch - sourceBlock.width * sourceBlock.pixelSize) + * + * bytes past the end of masterPtr->pix32[] when + * + * blockPtr->pixelPtr > (masterPtr->pix32 + + * 4 * masterPtr->width * masterPtr->height - + * sourceBlock.height * sourceBlock.pitch) + */ + unsigned int cpyLen = (sourceBlock.height - 1) * sourceBlock.pitch + + sourceBlock.width * sourceBlock.pixelSize; + + sourceBlock.pixelPtr = (unsigned char *)attemptckalloc(cpyLen); if (sourceBlock.pixelPtr == NULL) { if (interp != NULL) { Tcl_SetObjResult(interp, Tcl_NewStringObj( @@ -2823,8 +2836,7 @@ Tk_PhotoPutBlock( return TCL_ERROR; } memToFree = sourceBlock.pixelPtr; - memcpy(sourceBlock.pixelPtr, blockPtr->pixelPtr, sourceBlock.height - * sourceBlock.pitch); + memcpy(sourceBlock.pixelPtr, blockPtr->pixelPtr, cpyLen); } @@ -3246,8 +3258,21 @@ Tk_PhotoPutZoomedBlock( if (sourceBlock.pixelPtr >= masterPtr->pix32 && sourceBlock.pixelPtr <= masterPtr->pix32 + masterPtr->width * masterPtr->height * 4) { - sourceBlock.pixelPtr = (unsigned char *)attemptckalloc(sourceBlock.height - * sourceBlock.pitch); + /* + * Fix 5c51be6411: avoid reading + * + * (sourceBlock.pitch - sourceBlock.width * sourceBlock.pixelSize) + * + * bytes past the end of masterPtr->pix32[] when + * + * blockPtr->pixelPtr > (masterPtr->pix32 + + * 4 * masterPtr->width * masterPtr->height - + * sourceBlock.height * sourceBlock.pitch) + */ + unsigned int cpyLen = (sourceBlock.height - 1) * sourceBlock.pitch + + sourceBlock.width * sourceBlock.pixelSize; + + sourceBlock.pixelPtr = (unsigned char *)attemptckalloc(cpyLen); if (sourceBlock.pixelPtr == NULL) { if (interp != NULL) { Tcl_SetObjResult(interp, Tcl_NewStringObj( @@ -3257,8 +3282,7 @@ Tk_PhotoPutZoomedBlock( return TCL_ERROR; } memToFree = sourceBlock.pixelPtr; - memcpy(sourceBlock.pixelPtr, blockPtr->pixelPtr, sourceBlock.height - * sourceBlock.pitch); + memcpy(sourceBlock.pixelPtr, blockPtr->pixelPtr, cpyLen); } xEnd = x + width; |