[cximage] Crop too large image/frame in Decode. This fixes a theoretically possible access violation.

1 files changed, 8 insertions, 4 deletions

diff --git a/xbmc/guilib/cximage.cpp b/xbmc/guilib/cximage.cpp
index d1b9273c56..d057ce9a8b 100644
--- a/xbmc/guilib/cximage.cpp
+++ b/xbmc/guilib/cximage.cpp
@@ -20,6 +20,7 @@
  */
 #include "cximage.h"
 #include "utils/log.h"
+#include <algorithm>
 
 CXImage::CXImage(const std::string& strMimeType): m_strMimeType(strMimeType), m_thumbnailbuffer(NULL)
 {
@@ -70,17 +71,20 @@ bool CXImage::Decode(unsigned char* const pixels, unsigned int width, unsigned i
   if (m_image.width == 0 || m_image.height == 0 || !m_dll.IsLoaded())
     return false;
 
+  unsigned int copyWidth = std::min(m_width, width);
+  unsigned int copyHeight = std::min(m_height, height);
+
   unsigned int dstPitch = pitch;
   unsigned int srcPitch = ((m_image.width + 1)* 3 / 4) * 4; // bitmap row length is aligned to 4 bytes
 
   unsigned char *dst = (unsigned char*)pixels;
   unsigned char *src = m_image.texture + (m_height - 1) * srcPitch;
 
-  for (unsigned int y = 0; y < m_height; y++)
+  for (unsigned int y = 0; y < copyHeight; y++)
   {
     unsigned char *dst2 = dst;
     unsigned char *src2 = src;
-    for (unsigned int x = 0; x < m_width; x++, dst2 += 4, src2 += 3)
+    for (unsigned int x = 0; x < copyWidth; x++, dst2 += 4, src2 += 3)
     {
       dst2[0] = src2[0];
       dst2[1] = src2[1];
@@ -96,12 +100,12 @@ bool CXImage::Decode(unsigned char* const pixels, unsigned int width, unsigned i
     dst = (unsigned char*)pixels + 3;
     src = m_image.alpha + (m_height - 1) * m_width;
 
-    for (unsigned int y = 0; y < m_height; y++)
+    for (unsigned int y = 0; y < copyHeight; y++)
     {
       unsigned char *dst2 = dst;
       unsigned char *src2 = src;
 
-      for (unsigned int x = 0; x < m_width; x++,  dst2+=4, src2++)
+      for (unsigned int x = 0; x < copyWidth; x++,  dst2+=4, src2++)
         *dst2 = *src2;
       src -= m_width;
       dst += dstPitch;