Commit 15d51c1f authored by Vincent Penquerc'h's avatar Vincent Penquerc'h
Browse files

compositor: fix illegal memory access in blend function with negative ypos

https://bugzilla.gnome.org/show_bug.cgi?id=741115
parent 3b920131
...@@ -86,9 +86,11 @@ method##_ ##name (GstVideoFrame * srcframe, gint xpos, gint ypos, \ ...@@ -86,9 +86,11 @@ method##_ ##name (GstVideoFrame * srcframe, gint xpos, gint ypos, \
src_height = dest_height - ypos; \ src_height = dest_height - ypos; \
} \ } \
\ \
dest = dest + 4 * xpos + (ypos * dest_stride); \ if (src_height > 0 && src_width > 0) { \
dest = dest + 4 * xpos + (ypos * dest_stride); \
\ \
LOOP (dest, src, src_height, src_width, src_stride, dest_stride, s_alpha); \ LOOP (dest, src, src_height, src_width, src_stride, dest_stride, s_alpha); \
} \
} }
#define BLEND_A32_LOOP(name, method) \ #define BLEND_A32_LOOP(name, method) \
...@@ -268,23 +270,23 @@ blend_##format_name (GstVideoFrame * srcframe, gint xpos, gint ypos, \ ...@@ -268,23 +270,23 @@ blend_##format_name (GstVideoFrame * srcframe, gint xpos, gint ypos, \
xpos = 0; \ xpos = 0; \
} \ } \
if (ypos < 0) { \ if (ypos < 0) { \
yoffset += -ypos; \ yoffset = -ypos; \
b_src_height -= -ypos; \ b_src_height -= -ypos; \
ypos = 0; \ ypos = 0; \
} \ } \
/* If x or y offset are larger then the source it's outside of the picture */ \ /* If x or y offset are larger then the source it's outside of the picture */ \
if (xoffset > src_width || yoffset > src_height) { \ if (xoffset >= src_width || yoffset >= src_height) { \
return; \ return; \
} \ } \
\ \
/* adjust width/height if the src is bigger than dest */ \ /* adjust width/height if the src is bigger than dest */ \
if (xpos + src_width > dest_width) { \ if (xpos + b_src_width > dest_width) { \
b_src_width = dest_width - xpos; \ b_src_width = dest_width - xpos; \
} \ } \
if (ypos + src_height > dest_height) { \ if (ypos + b_src_height > dest_height) { \
b_src_height = dest_height - ypos; \ b_src_height = dest_height - ypos; \
} \ } \
if (b_src_width < 0 || b_src_height < 0) { \ if (b_src_width <= 0 || b_src_height <= 0) { \
return; \ return; \
} \ } \
\ \
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment