Module: wine Branch: master Commit: e37b9c74f04a90ef350394720b673119e47481dd URL: https://source.winehq.org/git/wine.git/?a=commit;h=e37b9c74f04a90ef350394720...

Author: Józef Kucia jkucia@codeweavers.com Date: Wed Jan 16 15:29:34 2019 +0100

wined3d: Avoid potential out-of-bounds memory access in surface_cpu_blt_colour_fill().

Draw rects are derived from the current viewport. It is possible to produce a clear operation with a draw rect which lies completely outside of one of render targets in D3D9.

It seems that we never use the CPU blitter for D3D9 render target clears, so it might not be a problem in practice.

Signed-off-by: Józef Kucia jkucia@codeweavers.com Signed-off-by: Henri Verbeet hverbeet@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org

---

dlls/wined3d/surface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/wined3d/surface.c b/dlls/wined3d/surface.c index 1b6e7a5..0ee2f82 100644 --- a/dlls/wined3d/surface.c +++ b/dlls/wined3d/surface.c @@ -2970,8 +2970,8 @@ static void surface_cpu_blt_colour_fill(struct wined3d_rendertarget_view *view,

c = wined3d_format_convert_from_float(view->format, colour); bpp = view->format->byte_count; - w = min(box->right, view->width) - box->left; - h = min(box->bottom, view->height) - box->top; + w = min(box->right, view->width) - min(box->left, view->width); + h = min(box->bottom, view->height) - min(box->top, view->height);

texture = texture_from_resource(view->resource); map_binding = texture->resource.map_binding;