Image: Fix a dynamic-stack-buffer-overflow when filling polygons
Make sure we don't read past the end of global_edges when i = 0. We are moving the elements backwards so at most n_global_edges - 1 elements can be moved. ==6818==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffff888ae00 at pc 0x7fe4fd7be8ae bp 0x7ffff888ac90 sp 0x7ffff888a440 READ of size 96 at 0x7ffff888ae00 thread T0 #0 0x7fe4fd7be8ad in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0x378ad) #1 0x56524b2dba31 in Image::Fill(unsigned int, int, Polygon const&) /root/zoneminder/src/zm_image.cpp:2514 #2 0x56524af55530 in Monitor::DumpZoneImage(char const*) /root/zoneminder/src/zm_monitor.cpp:1510 #3 0x56524aeb38cb in main /root/zoneminder/src/zmu.cpp:574 #4 0x7fe4fb2b009a in __libc_start_main ../csu/libc-start.c:308 #5 0x56524aeb87a9 in _start (/root/zoneminder/cmake-build-relwithdebinfo-remote/src/zmu+0xf87a9)
This commit is contained in:
parent
09665b139f
commit
63cea992a0
|
@ -2512,8 +2512,7 @@ void Image::Fill(Rgb colour, int density, const Polygon &polygon) {
|
||||||
Debug(9, "Moving global edge");
|
Debug(9, "Moving global edge");
|
||||||
active_edges[n_active_edges++] = global_edges[i];
|
active_edges[n_active_edges++] = global_edges[i];
|
||||||
if ( i < (n_global_edges-1) ) {
|
if ( i < (n_global_edges-1) ) {
|
||||||
//memcpy( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) );
|
memmove(&global_edges[i], &global_edges[i + 1], sizeof(*global_edges) * (n_global_edges - i - 1));
|
||||||
memmove( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) );
|
|
||||||
i--;
|
i--;
|
||||||
}
|
}
|
||||||
n_global_edges--;
|
n_global_edges--;
|
||||||
|
|
Loading…
Reference in New Issue