Better fix for bug 936

Check to for overruns before they happen instead of afterwards.

Better fix for bug 936
Check to for overruns before they happen instead of afterwards.
bbf70270 · Sam Lantinga · ce200fdf · bbf70270
Commit bbf70270 authored Jul 18, 2010 by Sam Lantinga
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 6 deletions

SDL_stretch.c src/video/SDL_stretch.c +8 -6

No files found.
--- a/src/video/SDL_stretch.c
+++ b/src/video/SDL_stretch.c
@@ -80,7 +80,7 @@ generate_rowbytes(int src_w, int dst_w, int bpp)

    int i;
    int pos, inc;
-    unsigned char *eip;
+    unsigned char *eip, *fence;
    unsigned char load, store;

    /* See if we need to regenerate the copy buffer */
@@ -116,14 +116,21 @@ generate_rowbytes(int src_w, int dst_w, int bpp)
    pos = 0x10000;
    inc = (src_w << 16) / dst_w;
    eip = copy_row;
+    fence = copy_row + sizeof(copy_row)-2;
    for (i = 0; i < dst_w; ++i) {
        while (pos >= 0x10000L) {
+            if (eip == fence) {
+                return -1;
+            }
            if (bpp == 2) {
                *eip++ = PREFIX16;
            }
            *eip++ = load;
            pos -= 0x10000L;
        }
+        if (eip == fence) {
+            return -1;
+        }
        if (bpp == 2) {
            *eip++ = PREFIX16;
        }
@@ -132,11 +139,6 @@ generate_rowbytes(int src_w, int dst_w, int bpp)
    }
    *eip++ = RETURN;

-    /* Verify that we didn't overflow (too late!!!) */
-    if (eip > (copy_row + sizeof(copy_row))) {
-        SDL_SetError("Copy buffer overflow");
-        return (-1);
-    }
 #ifdef HAVE_MPROTECT
    /* Make the code executable but not writeable */
    if (mprotect(copy_row, sizeof(copy_row), PROT_READ | PROT_EXEC) < 0) {