From e37b9c74f04a90ef350394720b673119e47481dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B3zef=20Kucia?= <jkucia@codeweavers.com>
Date: Wed, 16 Jan 2019 15:29:34 +0100
Subject: [PATCH] wined3d: Avoid potential out-of-bounds memory access in
 surface_cpu_blt_colour_fill().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Draw rects are derived from the current viewport. It is possible to produce a
clear operation with a draw rect which lies completely outside of one of render
targets in D3D9.

It seems that we never use the CPU blitter for D3D9 render target clears, so it
might not be a problem in practice.

Signed-off-by: Józef Kucia <jkucia@codeweavers.com>
Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/wined3d/surface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/wined3d/surface.c b/dlls/wined3d/surface.c
index 1b6e7a5a065..0ee2f826637 100644
--- a/dlls/wined3d/surface.c
+++ b/dlls/wined3d/surface.c
@@ -2970,8 +2970,8 @@ static void surface_cpu_blt_colour_fill(struct wined3d_rendertarget_view *view,
 
     c = wined3d_format_convert_from_float(view->format, colour);
     bpp = view->format->byte_count;
-    w = min(box->right, view->width) - box->left;
-    h = min(box->bottom, view->height) - box->top;
+    w = min(box->right, view->width) - min(box->left, view->width);
+    h = min(box->bottom, view->height) - min(box->top, view->height);
 
     texture = texture_from_resource(view->resource);
     map_binding = texture->resource.map_binding;