Mercurial > hg > dmlib

changeset 2122:59bde9a7220d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add few out of bounds checks.
author Matti Hamalainen <ccr@tnsp.org>
date Mon, 27 May 2019 05:59:57 +0300
parents f12ac487954b
children 47ddbedf5b56
files tools/lib64gfx.c
diffstat 1 files changed, 28 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/tools/lib64gfx.c	Mon May 27 00:04:02 2019 +0300
+++ b/tools/lib64gfx.c	Mon May 27 05:59:57 2019 +0300
@@ -1317,8 +1317,16 @@
                 const int scroffs = scroffsy + x;
                 const int xshift = 7 - (xc & 7);
                 const int chr = src->screen[0].data[scroffs];
+                const size_t chrOffs = (chr * C64_CHR_SIZE) + yb;
 
-                if ((src->charData[0].data[chr * C64_CHR_SIZE + yb] >> xshift) & 1)
+                if (chrOffs >= src->charData[0].size)
+                {
+                    return dmError(DMERR_INVALID_DATA,
+                        "Character map index #%d out of bounds for char ROM data.\n",
+                        chr);
+                }
+
+                if ((src->charData[0].data[chrOffs] >> xshift) & 1)
                     *dp++ = src->color[0].data[scroffs];
                 else
                     *dp++ = src->bgcolor;
@@ -1331,8 +1339,16 @@
                 const int scroffs = scroffsy + x;
                 const int xshift = 7 - (xc & 7);
                 const int chr = src->screen[0].data[scroffs];
+                const size_t chrOffs = ((chr & 0x3f) * C64_CHR_SIZE) + yb;
 
-                if ((src->charData[0].data[(chr & 0x3f) * C64_CHR_SIZE + yb] >> xshift) & 1)
+                if (chrOffs >= src->charData[0].size)
+                {
+                    return dmError(DMERR_INVALID_DATA,
+                        "Character map index #%d out of bounds for char ROM data.\n",
+                        chr);
+                }
+
+                if ((src->charData[0].data[chrOffs] >> xshift) & 1)
                     *dp++ = src->color[0].data[scroffs] & 15;
                 else
                 switch ((chr >> 6) & 3)
@@ -1351,11 +1367,19 @@
                 const int scroffs = scroffsy + x;
                 const int chr = src->screen[0].data[scroffs];
                 const int col = src->color[0].data[scroffs];
+                const size_t chrOffs = (chr * C64_CHR_SIZE) + yb;
+
+                if (chrOffs >= src->charData[0].size)
+                {
+                    return dmError(DMERR_INVALID_DATA,
+                        "Character map index #%d out of bounds for char ROM data.\n",
+                        chr);
+                }
 
                 if (col & 8)
                 {
                     const int xshift = 6 - ((xc * 2) & 6);
-                    switch ((src->charData[0].data[chr * C64_CHR_SIZE + yb] >> xshift) & 3)
+                    switch ((src->charData[0].data[chrOffs] >> xshift) & 3)
                     {
                         case 0: *dp++ = src->bgcolor; break;
                         case 1: *dp++ = src->d022; break;
@@ -1366,7 +1390,7 @@
                 else
                 {
                     const int xshift = 7 - (xc & 7);
-                    if ((src->charData[0].data[chr * C64_CHR_SIZE + yb] >> xshift) & 1)
+                    if ((src->charData[0].data[chrOffs] >> xshift) & 1)
                         *dp++ = col & 7;
                     else
                         *dp++ = src->bgcolor;