[Bug 48927] Heap buffer underflow in TiffFrameDecode_ReadTile when decoding 1x1 4bpp RGBA image
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Apr 19 07:18:54 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=48927
--- Comment #6 from Dmitry Timoshkov <dmitry at baikal.ru> ---
(In reply to Thomas Faber from comment #5)
> Almost!
>
> Because this no longer rounds up "count" before dividing by two, "src" ends
> up one byte before "cached_tile" here:
> src = This->cached_tile + count / 2 - 1;
>
> I fixed this to be:
> src = This->cached_tile + (count + 1) / 2 - 1;
>
> With that modification, there's no more out of bounds access.
Thanks for testing.
> There may be other complications to consider at some point, such as whether
> byte-alignment needs to happen at the end of each row (so the bottom half of
> the last byte of each row would be skipped). But for the 1x1 case this seems
> to work great now. I've tested this using the gdiplus:image test.
That would need a real test case.
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list