[Libdlo] [PATCH] Fix buffer overflow in cmd_stripe24.
Quentin Stafford-Fraser
quentin at pobox.com
Sun May 24 11:01:57 PDT 2009
Signed-off-by: Quentin Stafford-Fraser <quentin at pobox.com>
---
src/dlo_grfx.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/src/dlo_grfx.c b/src/dlo_grfx.c
index 3e9008a..54f41ed 100644
--- a/src/dlo_grfx.c
+++ b/src/dlo_grfx.c
@@ -690,6 +690,10 @@ static dlo_retcode_t cmd_stripe24(dlo_device_t *
const dev, dlo_ptr_t base16, dl
*(dev->bufptr)++ = (char)(base16 & 0xFF);
*(dev->bufptr)++ = rem >= RAW_MAX_PIXELS ? 0 : rem;
+ /* Flush the command buffer if it's getting full */
+ if (dev->bufend - dev->bufptr - BYTES_PER_16BPP * RAW_MAX_PIXELS
< BUF_HIGH_WATER_MARK)
+ ERR(dlo_usb_write(dev));
+
for (pix = 0; pix < (rem >= RAW_MAX_PIXELS ? RAW_MAX_PIXELS :
rem); pix++)
{
dlo_col16_t col = *ptr_col16++;
@@ -711,6 +715,10 @@ static dlo_retcode_t cmd_stripe24(dlo_device_t *
const dev, dlo_ptr_t base16, dl
*(dev->bufptr)++ = (char)(base8 & 0xFF);
*(dev->bufptr)++ = rem >= RAW_MAX_PIXELS ? 0 : rem;
+ /* Flush the command buffer if it's getting full */
+ if (dev->bufend - dev->bufptr - BYTES_PER_8BPP * RAW_MAX_PIXELS <
BUF_HIGH_WATER_MARK)
+ ERR(dlo_usb_write(dev));
+
for (pix = 0; pix < (rem >= RAW_MAX_PIXELS ? RAW_MAX_PIXELS :
rem); pix++)
*(dev->bufptr)++ = (char)(*ptr_col8++);
--
1.6.0.4
More information about the Libdlo
mailing list