video_buffer: Do not call memcpy() with the size greater than dest.

Calling memcpy() with the size greater than dest may lead to a segfault,
since this causes a buffer overrun.
The pitch size of src is not guaranteed to have the same size as dest.
So it should use min value.

Change-Id: I3b4125cc7faa02bfc52e904160ffe711dc354594

diff --git a/src/bin/video/e_comp_wl_video_buffer.c b/src/bin/video/e_comp_wl_video_buffer.c
index c3ecbf5800ad3d9bcd03749b28addd087944d9c0..812a38d0d1fe52b9cfb4c358df820e705bad9eeb 100644 (file)
--- a/src/bin/video/e_comp_wl_video_buffer.c
+++ b/src/bin/video/e_comp_wl_video_buffer.c
@@ -768,6 +768,7 @@ e_comp_wl_video_buffer_copy(E_Comp_Wl_Video_Buf *srcbuf, E_Comp_Wl_Video_Buf *ds
 {
    int i, j, c_height;
    unsigned char *s, *d;
+   uint pitch;
 
    EINA_SAFETY_ON_FALSE_RETURN_VAL(VBUF_IS_VALID(srcbuf), EINA_FALSE);
    EINA_SAFETY_ON_FALSE_RETURN_VAL(VBUF_IS_VALID(dstbuf), EINA_FALSE);
@@ -788,9 +789,10 @@ e_comp_wl_video_buffer_copy(E_Comp_Wl_Video_Buf *srcbuf, E_Comp_Wl_Video_Buf *ds
       case TBM_FORMAT_YVU422:
          s = (unsigned char*)srcbuf->ptrs[0];
          d = (unsigned char*)dstbuf->ptrs[0];
+         pitch = MIN(srcbuf->pitches[0], dstbuf->pitches[0]);
          for (i = 0; i < srcbuf->height; i++)
            {
-              memcpy(d, s, srcbuf->pitches[0]);
+              memcpy(d, s, pitch);
               s += srcbuf->pitches[0];
               d += dstbuf->pitches[0];
            }
@@ -801,10 +803,11 @@ e_comp_wl_video_buffer_copy(E_Comp_Wl_Video_Buf *srcbuf, E_Comp_Wl_Video_Buf *ds
            {
               s = (unsigned char*)srcbuf->ptrs[i] + srcbuf->offsets[i];
               d = (unsigned char*)dstbuf->ptrs[i] + dstbuf->offsets[i];
+              pitch = MIN(srcbuf->pitches[i], dstbuf->pitches[i]);
               c_height = (i == 0) ? srcbuf->height : srcbuf->height / 2;
               for (j = 0; j < c_height; j++)
                 {
-                   memcpy(d, s, srcbuf->pitches[i]);
+                   memcpy(d, s, pitch);
                    s += srcbuf->pitches[i];
                    d += dstbuf->pitches[i];
                 }
@@ -816,10 +819,11 @@ e_comp_wl_video_buffer_copy(E_Comp_Wl_Video_Buf *srcbuf, E_Comp_Wl_Video_Buf *ds
            {
               s = (unsigned char*)srcbuf->ptrs[i] + srcbuf->offsets[i];
               d = (unsigned char*)dstbuf->ptrs[i] + dstbuf->offsets[i];
+              pitch = MIN(srcbuf->pitches[i], dstbuf->pitches[i]);
               c_height = (i == 0) ? srcbuf->height : srcbuf->height / 2;
               for (j = 0; j < c_height; j++)
                 {
-                   memcpy(d, s, srcbuf->pitches[i]);
+                   memcpy(d, s, pitch);
                    s += srcbuf->pitches[i];
                    d += dstbuf->pitches[i];
                 }