From d396258866850f1789b5973b17dcfd0c4d9089e7 Mon Sep 17 00:00:00 2001 From: KOVACS Krisztian Date: Tue, 7 Nov 2017 13:52:09 +0100 Subject: [PATCH] codec/nsc: fix memory corruption in case of chroma subsampling For odd number of rows, the memory copy operation was broken: after exiting the loop, yplane points to the end of the last row data, and thus (yplane + rw) points *after* the end of the last row. --- libfreerdp/codec/nsc_encode.c | 10 +++++++--- libfreerdp/codec/nsc_sse2.c | 10 +++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/libfreerdp/codec/nsc_encode.c b/libfreerdp/codec/nsc_encode.c index 716cfe812..57c90f70c 100644 --- a/libfreerdp/codec/nsc_encode.c +++ b/libfreerdp/codec/nsc_encode.c @@ -237,9 +237,13 @@ static void nsc_encode_argb_to_aycocg(NSC_CONTEXT* context, const BYTE* data, if (context->ChromaSubsamplingLevel && (y % 2) == 1) { - CopyMemory(yplane + rw, yplane, rw); - CopyMemory(coplane + rw, coplane, rw); - CopyMemory(cgplane + rw, cgplane, rw); + yplane = context->priv->PlaneBuffers[0] + y * rw; + coplane = context->priv->PlaneBuffers[1] + y * rw; + cgplane = context->priv->PlaneBuffers[2] + y * rw; + + CopyMemory(yplane, yplane - rw, rw); + CopyMemory(coplane, coplane - rw, rw); + CopyMemory(cgplane, cgplane - rw, rw); } } diff --git a/libfreerdp/codec/nsc_sse2.c b/libfreerdp/codec/nsc_sse2.c index 940aad054..cf91c1bd2 100644 --- a/libfreerdp/codec/nsc_sse2.c +++ b/libfreerdp/codec/nsc_sse2.c @@ -326,9 +326,13 @@ static void nsc_encode_argb_to_aycocg_sse2(NSC_CONTEXT* context, if (context->ChromaSubsamplingLevel > 0 && (y % 2) == 1) { - CopyMemory(yplane + rw, yplane, rw); - CopyMemory(coplane + rw, coplane, rw); - CopyMemory(cgplane + rw, cgplane, rw); + yplane = context->priv->PlaneBuffers[0] + y * rw; + coplane = context->priv->PlaneBuffers[1] + y * rw; + cgplane = context->priv->PlaneBuffers[2] + y * rw; + + CopyMemory(yplane, yplane - rw, rw); + CopyMemory(coplane, coplane - rw, rw); + CopyMemory(cgplane, cgplane - rw, rw); } }