=?UTF-8?Q?J=C3=B3zef=20Kucia=20?=: wined3d: Avoid potential out-of-bounds memory access in surface_cpu_blt_colour_fill ().

[Alexandre Julliard]

Module: wine
Branch: master
Commit: e37b9c74f04a90ef350394720b673119e47481dd
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=e37b9c74f04a90ef350394720b673119e47481dd

Author: Józef Kucia <jkucia at codeweavers.com>
Date:   Wed Jan 16 15:29:34 2019 +0100

wined3d: Avoid potential out-of-bounds memory access in surface_cpu_blt_colour_fill().

Draw rects are derived from the current viewport. It is possible to produce a
clear operation with a draw rect which lies completely outside of one of render
targets in D3D9.

It seems that we never use the CPU blitter for D3D9 render target clears, so it
might not be a problem in practice.

Signed-off-by: Józef Kucia <jkucia at codeweavers.com>
Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/wined3d/surface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/wined3d/surface.c b/dlls/wined3d/surface.c
index 1b6e7a5..0ee2f82 100644
--- a/dlls/wined3d/surface.c
+++ b/dlls/wined3d/surface.c
@@ -2970,8 +2970,8 @@ static void surface_cpu_blt_colour_fill(struct wined3d_rendertarget_view *view,
 
     c = wined3d_format_convert_from_float(view->format, colour);
     bpp = view->format->byte_count;
-    w = min(box->right, view->width) - box->left;
-    h = min(box->bottom, view->height) - box->top;
+    w = min(box->right, view->width) - min(box->left, view->width);
+    h = min(box->bottom, view->height) - min(box->top, view->height);
 
     texture = texture_from_resource(view->resource);
     map_binding = texture->resource.map_binding;