Image: Fix a dynamic-stack-buffer-overflow when filling polygons
Make sure we don't read past the end of global_edges when i = 0.
We are moving the elements backwards so at most n_global_edges - 1 elements can be moved.
==6818==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffff888ae00 at pc 0x7fe4fd7be8ae bp 0x7ffff888ac90 sp 0x7ffff888a440
READ of size 96 at 0x7ffff888ae00 thread T0
#0 0x7fe4fd7be8ad in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0x378ad)
#1 0x56524b2dba31 in Image::Fill(unsigned int, int, Polygon const&) /root/zoneminder/src/zm_image.cpp:2514
#2 0x56524af55530 in Monitor::DumpZoneImage(char const*) /root/zoneminder/src/zm_monitor.cpp:1510
#3 0x56524aeb38cb in main /root/zoneminder/src/zmu.cpp:574
#4 0x7fe4fb2b009a in __libc_start_main ../csu/libc-start.c:308
#5 0x56524aeb87a9 in _start (/root/zoneminder/cmake-build-relwithdebinfo-remote/src/zmu+0xf87a9)
(cherry picked from commit 63cea992a0
)
This commit is contained in:
parent
d1002fbf91
commit
bcb2f63fab
|
@ -2511,8 +2511,7 @@ void Image::Fill(Rgb colour, int density, const Polygon &polygon) {
|
||||||
Debug(9, "Moving global edge");
|
Debug(9, "Moving global edge");
|
||||||
active_edges[n_active_edges++] = global_edges[i];
|
active_edges[n_active_edges++] = global_edges[i];
|
||||||
if ( i < (n_global_edges-1) ) {
|
if ( i < (n_global_edges-1) ) {
|
||||||
//memcpy( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) );
|
memmove(&global_edges[i], &global_edges[i + 1], sizeof(*global_edges) * (n_global_edges - i - 1));
|
||||||
memmove( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) );
|
|
||||||
i--;
|
i--;
|
||||||
}
|
}
|
||||||
n_global_edges--;
|
n_global_edges--;
|
||||||
|
|
Loading…
Reference in New Issue