Avoid out-of-bounds read when accessing individual bytes from mask. (!45) · Merge requests · Pixman / pixman

Adam Jackson requested to merge ajax/pixman:oob-read-fix into master May 07, 2021

The important changes here are a handful of places where we replace

        memcpy(&m, mask++, sizeof(uint32_t));

or similar code with

        uint8_t m = *mask++;

because we're only supposed to be reading a single byte from *mask, and accessing a 32-bit value may read out of bounds (besides that it reads values we don't actually want; whether this matters would depend exactly how the value in m is subsequently used).

I've also changed a bunch of other places to use this same pattern (a local 8-bit variable) when reading individual bytes from the mask; the code was inconsistent about this, sometimes casting the byte to a uint32_t instead. This makes no actual difference, it just seemed better to use a consistent pattern throughout the file.

Avoid out-of-bounds read when accessing individual bytes from mask.

Merge request reports