From 5c9d90efa2215aa3657917a967e8b670f0bb8c6c Mon Sep 17 00:00:00 2001
From: Seunghun Lee <shiin.lee@samsung.com>
Date: Mon, 26 Oct 2020 15:36:43 +0900
Subject: [PATCH] video_buffer: Do not call memcpy() with the size greater than
 dest.

Calling memcpy() with the size greater than dest may lead to a segfault,
since this causes a buffer overrun.
The pitch size of src is not guaranteed to have the same size as dest.
So it should use min value.

Change-Id: I3b4125cc7faa02bfc52e904160ffe711dc354594
---
 src/bin/video/e_comp_wl_video_buffer.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/bin/video/e_comp_wl_video_buffer.c b/src/bin/video/e_comp_wl_video_buffer.c
index c3ecbf5800..812a38d0d1 100644
--- a/src/bin/video/e_comp_wl_video_buffer.c
+++ b/src/bin/video/e_comp_wl_video_buffer.c
@@ -768,6 +768,7 @@ e_comp_wl_video_buffer_copy(E_Comp_Wl_Video_Buf *srcbuf, E_Comp_Wl_Video_Buf *ds
 {
    int i, j, c_height;
    unsigned char *s, *d;
+   uint pitch;
 
    EINA_SAFETY_ON_FALSE_RETURN_VAL(VBUF_IS_VALID(srcbuf), EINA_FALSE);
    EINA_SAFETY_ON_FALSE_RETURN_VAL(VBUF_IS_VALID(dstbuf), EINA_FALSE);
@@ -788,9 +789,10 @@ e_comp_wl_video_buffer_copy(E_Comp_Wl_Video_Buf *srcbuf, E_Comp_Wl_Video_Buf *ds
       case TBM_FORMAT_YVU422:
          s = (unsigned char*)srcbuf->ptrs[0];
          d = (unsigned char*)dstbuf->ptrs[0];
+         pitch = MIN(srcbuf->pitches[0], dstbuf->pitches[0]);
          for (i = 0; i < srcbuf->height; i++)
            {
-              memcpy(d, s, srcbuf->pitches[0]);
+              memcpy(d, s, pitch);
               s += srcbuf->pitches[0];
               d += dstbuf->pitches[0];
            }
@@ -801,10 +803,11 @@ e_comp_wl_video_buffer_copy(E_Comp_Wl_Video_Buf *srcbuf, E_Comp_Wl_Video_Buf *ds
            {
               s = (unsigned char*)srcbuf->ptrs[i] + srcbuf->offsets[i];
               d = (unsigned char*)dstbuf->ptrs[i] + dstbuf->offsets[i];
+              pitch = MIN(srcbuf->pitches[i], dstbuf->pitches[i]);
               c_height = (i == 0) ? srcbuf->height : srcbuf->height / 2;
               for (j = 0; j < c_height; j++)
                 {
-                   memcpy(d, s, srcbuf->pitches[i]);
+                   memcpy(d, s, pitch);
                    s += srcbuf->pitches[i];
                    d += dstbuf->pitches[i];
                 }
@@ -816,10 +819,11 @@ e_comp_wl_video_buffer_copy(E_Comp_Wl_Video_Buf *srcbuf, E_Comp_Wl_Video_Buf *ds
            {
               s = (unsigned char*)srcbuf->ptrs[i] + srcbuf->offsets[i];
               d = (unsigned char*)dstbuf->ptrs[i] + dstbuf->offsets[i];
+              pitch = MIN(srcbuf->pitches[i], dstbuf->pitches[i]);
               c_height = (i == 0) ? srcbuf->height : srcbuf->height / 2;
               for (j = 0; j < c_height; j++)
                 {
-                   memcpy(d, s, srcbuf->pitches[i]);
+                   memcpy(d, s, pitch);
                    s += srcbuf->pitches[i];
                    d += dstbuf->pitches[i];
                 }
-- 
2.34.1