about summary refs log tree commit diff
path: root/converter
diff options
context:
space:
mode:
authorgiraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>2020-05-28 22:42:52 +0000
committergiraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>2020-05-28 22:42:52 +0000
commit987724143b292d9e249dd49e833b60eddda432fc (patch)
tree1c1280e2316d966a95ce89a5735aebaf82d27ee5 /converter
parent116ab8299bcabeab64a736df7016ecd1403173f7 (diff)
downloadnetpbm-mirror-987724143b292d9e249dd49e833b60eddda432fc.tar.gz
netpbm-mirror-987724143b292d9e249dd49e833b60eddda432fc.tar.xz
netpbm-mirror-987724143b292d9e249dd49e833b60eddda432fc.zip
Fix buffer overrun with different size source, destination rectangles
git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@3814 9d0c8265-081b-0410-96cb-a4ca84ce46f8
Diffstat (limited to 'converter')
-rw-r--r--converter/ppm/picttoppm.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/converter/ppm/picttoppm.c b/converter/ppm/picttoppm.c
index 09b2afc0..b5e71ec4 100644
--- a/converter/ppm/picttoppm.c
+++ b/converter/ppm/picttoppm.c
@@ -1297,8 +1297,7 @@ doDiffSize(struct Rect       const srcRect,
            struct RGBColor * const color_map,
            unsigned char *   const src,
            unsigned int      const srcwid,
-           struct RgbPlanes  const dst,
-           unsigned int      const dstwid) {
+           struct RgbPlanes  const dst) {
 /*----------------------------------------------------------------------------
    Generate the raster in the plane buffers indicated by 'dst'.
 
@@ -1379,7 +1378,7 @@ doDiffSize(struct Rect       const srcRect,
 
     closeValidatePamscalePipe(pamscalePipeP);
 
-    convertScaledPpm(tempFilename, trf, dst, dstwid-rectwidth(&srcRect));
+    convertScaledPpm(tempFilename, trf, dst, dst.width-rectwidth(&dstRect));
 
     pm_strfree(tempFilename);
     unlink(tempFilename);
@@ -1645,8 +1644,15 @@ doBlit(struct Rect       const srcRect,
         src = srcplane.bytes + srcRowNumber * srcplane.rowSize + srcRowOffset;
     }
 
+    /* This 'dstoff'/'dstadd' abomination has to be fixed.  We need to pass to
+       'doDiffSize' the whole actual canvas, 'canvasPlanes', and tell it to
+       what part of the canvas to write.  It can compute the location of each
+       destination row as it comes to it.
+     */
     dstoff = (dstRect.top - dstBounds.top) * dstwid +
         (dstRect.left - dstBounds.left);
+    dst.height = canvasPlanes.height - (dstRect.top - dstBounds.top);
+    dst.width  = canvasPlanes.width;
     dst.red = canvasPlanes.red + dstoff;
     dst.grn = canvasPlanes.grn + dstoff;
     dst.blu = canvasPlanes.blu + dstoff;
@@ -1659,7 +1665,7 @@ doBlit(struct Rect       const srcRect,
 
     if (!rectsamesize(srcRect, dstRect))
         doDiffSize(srcRect, dstRect, pixSize,
-                   trf, color_map, src, srcplane.rowSize, dst, dstwid);
+                   trf, color_map, src, srcplane.rowSize, dst);
     else {
         if (trf == NULL)
             blitIdempotent(pixSize, srcRect, src, srcplane.rowSize,
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-19 22:02:42 +0000