Image: Fix a dynamic-stack-buffer-overflow when filling polygons

Make sure we don't read past the end of global_edges when i = 0.
We are moving the elements backwards so at most n_global_edges - 1 elements can be moved.

==6818==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffff888ae00 at pc 0x7fe4fd7be8ae bp 0x7ffff888ac90 sp 0x7ffff888a440
READ of size 96 at 0x7ffff888ae00 thread T0
    #0 0x7fe4fd7be8ad in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0x378ad)
    #1 0x56524b2dba31 in Image::Fill(unsigned int, int, Polygon const&) /root/zoneminder/src/zm_image.cpp:2514
    #2 0x56524af55530 in Monitor::DumpZoneImage(char const*) /root/zoneminder/src/zm_monitor.cpp:1510
    #3 0x56524aeb38cb in main /root/zoneminder/src/zmu.cpp:574
    #4 0x7fe4fb2b009a in __libc_start_main ../csu/libc-start.c:308
    #5 0x56524aeb87a9 in _start (/root/zoneminder/cmake-build-relwithdebinfo-remote/src/zmu+0xf87a9)

(cherry picked from commit 63cea992a0)
This commit is contained in:
Peter Keresztes Schmidt 2021-05-16 15:20:16 +02:00
parent d1002fbf91
commit bcb2f63fab
1 changed files with 1 additions and 2 deletions

View File

@ -2511,8 +2511,7 @@ void Image::Fill(Rgb colour, int density, const Polygon &polygon) {
Debug(9, "Moving global edge");
active_edges[n_active_edges++] = global_edges[i];
if ( i < (n_global_edges-1) ) {
//memcpy( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) );
memmove( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) );
memmove(&global_edges[i], &global_edges[i + 1], sizeof(*global_edges) * (n_global_edges - i - 1));
i--;
}
n_global_edges--;