avoid reading beyond the end of the line buffer in rubthrough
authorTony Cook <tony@develop-help.com>
Fri, 19 Jul 2013 10:07:24 +0000 (20:07 +1000)
committerTony Cook <tony@develop-help.com>
Fri, 19 Jul 2013 10:07:24 +0000 (20:07 +1000)
Changes
rubthru.im

diff --git a/Changes b/Changes
index 0fdeb44..d7bfcfc 100644 (file)
--- a/Changes
+++ b/Changes
@@ -1,5 +1,12 @@
 Imager release history.  Older releases can be found in Changes.old
 
+ - when drawing on an image with an alpha channel where the source
+   minimum is greater than zero, Imager would read from beyond the end
+   of a malloc() allocated buffer.  In rare circumstances this could
+   lead to some of the source image not being written to the target
+   image, or possibly to a segmentation fault.
+   I don't believe this has any security concerns beyond that.
+
 Imager 0.97 - 15 Jul 2013
 ===========
 
index 8a2465f..514ec09 100644 (file)
@@ -110,7 +110,7 @@ rubthru_targ_alpha(i_img *im, i_img *src, i_img_dim tx, i_img_dim ty,
       ++min_x;
       ++srcp;
     }
-    while (max_x > min_x && src_line[max_x-1].channel[alphachan] == 0) {
+    while (max_x > min_x && src_line[max_x-1 - src_minx].channel[alphachan] == 0) {
       --max_x;
     }