From 599c80f8f25675af33d0c357cb9c35b63e063d0d Mon Sep 17 00:00:00 2001 From: Thomas Faber Date: Thu, 20 Apr 2017 07:30:01 +0000 Subject: [PATCH] [VGADDI] - Fix buffer overflow in DIB_BltFromVGA. A byte fits two pixels. svn path=/trunk/; revision=74382 --- reactos/win32ss/drivers/displays/vga/vgavideo/vgavideo.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/reactos/win32ss/drivers/displays/vga/vgavideo/vgavideo.c b/reactos/win32ss/drivers/displays/vga/vgavideo/vgavideo.c index f0bb813e5dd..e5003532680 100644 --- a/reactos/win32ss/drivers/displays/vga/vgavideo/vgavideo.c +++ b/reactos/win32ss/drivers/displays/vga/vgavideo/vgavideo.c @@ -369,6 +369,7 @@ void DIB_BltFromVGA(int x, int y, int w, int h, void *b, int Dest_lDelta) stride = 0; rightcount = w; } + rightcount = (rightcount + 1) / 2; /* Reset the destination. */ for (j = 0; j < h; j++) @@ -414,7 +415,7 @@ void DIB_BltFromVGA(int x, int y, int w, int h, void *b, int Dest_lDelta) row = UnpackPixel[pixel] << plane; - /* Store the data for each pixel in the destination. */ + /* Store the data for each byte in the destination. */ for (i = 0; i < rightcount; i++) { ((PUCHAR)destline)[i] |= (row & 0xFF);