From b8f972d59e5a8f4240a41153837fb45d361d1840 Mon Sep 17 00:00:00 2001 From: Aleix Pol Date: Thu, 17 Jun 2021 21:03:56 +0200 Subject: [PATCH] Fix crash when the destination stride != source stride When we allocate the locally mapped texture size, use the announced stride (aka bytes per line) instead of the texture width. Otherwise we might overflow and crash eventually. BUG: 438815 --- framebuffers/pipewire/pw_framebuffer.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/framebuffers/pipewire/pw_framebuffer.cpp b/framebuffers/pipewire/pw_framebuffer.cpp index 0d2465db..3401f424 100644 --- a/framebuffers/pipewire/pw_framebuffer.cpp +++ b/framebuffers/pipewire/pw_framebuffer.cpp @@ -649,6 +649,7 @@ void PWFrameBuffer::Private::handleFrame(pw_buffer *pwBuffer) } std::function cleanup; + const qint64 srcStride = spaBuffer->datas[0].chunk->stride; if (spaBuffer->datas->type == SPA_DATA_MemFd) { uint8_t *map = static_cast(mmap( nullptr, spaBuffer->datas->maxsize + spaBuffer->datas->mapoffset, @@ -704,7 +705,7 @@ void PWFrameBuffer::Private::handleFrame(pw_buffer *pwBuffer) glBindTexture(GL_TEXTURE_2D, texture); glEGLImageTargetTexture2DOES(GL_TEXTURE_2D, image); - src = static_cast(malloc(streamSize.width() * streamSize.height() * BYTES_PER_PIXEL)); + src = static_cast(malloc(srcStride * streamSize.height())); GLenum glFormat = GL_BGRA; switch (videoFormat->format) { @@ -792,7 +793,7 @@ void PWFrameBuffer::Private::handleFrame(pw_buffer *pwBuffer) } const qint32 dstStride = videoSize.width() * BYTES_PER_PIXEL; - const qint32 srcStride = spaBuffer->datas[0].chunk->stride; + Q_ASSERT(dstStride <= srcStride); if (!videoFullHeight && (videoMetadata->region.position.y + videoSize.height() <= streamSize.height())) { src += srcStride * videoMetadata->region.position.y;