[Bug 48927] Heap buffer underflow in TiffFrameDecode_ReadTile when decoding 1x1 4bpp RGBA image
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Apr 19 06:49:06 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=48927
--- Comment #5 from Thomas Faber <thomas.faber at reactos.org> ---
Almost!
Because this no longer rounds up "count" before dividing by two, "src" ends up
one byte before "cached_tile" here:
src = This->cached_tile + count / 2 - 1;
I fixed this to be:
src = This->cached_tile + (count + 1) / 2 - 1;
With that modification, there's no more out of bounds access.
There may be other complications to consider at some point, such as whether
byte-alignment needs to happen at the end of each row (so the bottom half of
the last byte of each row would be skipped). But for the 1x1 case this seems to
work great now. I've tested this using the gdiplus:image test.
Thanks!
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list