[Scummvm-git-logs] scummvm master -> 675d67fea161d9d0ea8638546c48d89482e43283

dreammaster dreammaster at scummvm.org
Sat Jul 24 18:12:56 UTC 2021 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
675d67fea1 AGS: Fix crash due to reading outside source bitmap bounds


Commit: 675d67fea161d9d0ea8638546c48d89482e43283
    https://github.com/scummvm/scummvm/commit/675d67fea161d9d0ea8638546c48d89482e43283
Author: Paul Gilbert (dreammaster at scummvm.org)
Date: 2021-07-24T11:12:44-07:00

Commit Message:
AGS: Fix crash due to reading outside source bitmap bounds

Changed paths:
    engines/ags/lib/allegro/surface.cpp


diff --git a/engines/ags/lib/allegro/surface.cpp b/engines/ags/lib/allegro/surface.cpp
index efda7997d0..49e81e7685 100644
--- a/engines/ags/lib/allegro/surface.cpp
+++ b/engines/ags/lib/allegro/surface.cpp
@@ -120,8 +120,14 @@ void BITMAP::draw(const BITMAP *srcBitmap, const Common::Rect &srcRect,
 	if (cr <= cl || cb <= ct)
 		return;
 
+	// Ensure the src rect is constrained to the source bitmap
+	Common::Rect srcArea = srcRect;
+	srcArea.clip(Common::Rect(0, 0, srcBitmap->w, srcBitmap->h));
+	if (srcArea.isEmpty())
+		return;
+
 	// Figure out the dest area that will be updated
-	Common::Rect dstRect(dstX, dstY, dstX + srcRect.width(), dstY + srcRect.height());
+	Common::Rect dstRect(dstX, dstY, dstX + srcArea.width(), dstY + srcArea.height());
 	Common::Rect destRect = dstRect.findIntersectingRect(
 	                            Common::Rect(cl, ct, cr, cb));
 	if (destRect.isEmpty())
@@ -166,9 +172,9 @@ void BITMAP::draw(const BITMAP *srcBitmap, const Common::Rect &srcRect,
 			continue;
 		byte *destP = (byte *)destArea.getBasePtr(0, destY);
 		const byte *srcP = (const byte *)src.getBasePtr(
-		                       horizFlip ? srcRect.right - 1 : srcRect.left,
-		                       vertFlip ? srcRect.bottom - 1 - yCtr :
-		                       srcRect.top + yCtr);
+		                       horizFlip ? srcArea.right - 1 : srcArea.left,
+		                       vertFlip ? srcArea.bottom - 1 - yCtr :
+		                       srcArea.top + yCtr);
 
 		// Loop through the pixels of the row
 		for (int destX = xStart, xCtr = 0, xCtrBpp = 0; xCtr < dstRect.width(); ++destX, ++xCtr, xCtrBpp += src.format.bytesPerPixel) {

More information about the Scummvm-git-logs mailing list