Index: fbbltone.c =================================================================== RCS file: /cvs/XF4/xc/programs/Xserver/fb/fbbltone.c,v retrieving revision 1.2 diff -u -p -r1.2 fbbltone.c --- fbbltone.c 3 Nov 2004 00:07:51 -0000 1.2 +++ fbbltone.c 15 Aug 2005 19:53:17 -0000 @@ -48,12 +48,12 @@ #define LoadBits {\ if (leftShift) { \ - bitsRight = *src++; \ + bitsRight = (src < srcEnd ? *src++ : 0); \ bits = (FbStipLeft (bitsLeft, leftShift) | \ FbStipRight(bitsRight, rightShift)); \ bitsLeft = bitsRight; \ } else \ - bits = *src++; \ + bits = (src < srcEnd ? *src++ : 0); \ } #ifndef FBNOPIXADDR @@ -147,6 +147,7 @@ fbBltOne (FbStip *src, FbBits bgxor) { const FbBits *fbBits; + FbBits *srcEnd; int pixelsPerDst; /* dst pixels per FbBits */ int unitsPerSrc; /* src patterns per FbStip */ int leftShift, rightShift; /* align source with dest */ @@ -177,7 +178,12 @@ fbBltOne (FbStip *src, return; } #endif - + + /* + * Do not read past the end of the buffer! + */ + srcEnd = src + height * srcStride; + /* * Number of destination units in FbBits == number of stipple pixels * used each time @@ -528,7 +534,7 @@ const FbBits fbStipple24Bits[3][1 << FbS stip = FbLeftStipBits(bits, len); \ } else { \ stip = FbLeftStipBits(bits, remain); \ - bits = *src++; \ + bits = (src < srcEnd ? *src++ : 0); \ __len = (len) - remain; \ stip = FbMergePartStip24Bits(stip, FbLeftStipBits(bits, __len), \ remain, __len); \ @@ -579,7 +585,7 @@ fbBltOne24 (FbStip *srcLine, FbBits bgand, FbBits bgxor) { - FbStip *src; + FbStip *src, *srcEnd; FbBits leftMask, rightMask, mask; int nlMiddle, nl; FbStip stip, bits; @@ -589,6 +595,11 @@ fbBltOne24 (FbStip *srcLine, int rot0, rot; int nDst; + /* + * Do not read past the end of the buffer! + */ + srcEnd = srcLine + height * srcStride; + srcLine += srcX >> FB_STIP_SHIFT; dst += dstX >> FB_SHIFT; srcX &= FB_STIP_MASK;