h264: Use consistent size of scaling buffer

This fixes out-of-bounds writes when there is a mismatch between the pixel buffer's stride and the rect's width.
TigerVNC · Jul 30, 2024 · e2a8cd0 · e2a8cd0
1 parent 4f6a352
commit e2a8cd0
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/common/rfb/H264LibavDecoderContext.cxx b/common/rfb/H264LibavDecoderContext.cxx
@@ -222,9 +222,9 @@ void H264LibavDecoderContext::decode(const uint8_t* h264_in_buffer,
 
   int stride;
   pb->getBuffer(rect, &stride);
-  int dst_linesize = stride * pb->getPF().bpp/8;  // stride is in pixels, linesize is in bytes (stride x4). We need bytes
+  int dst_linesize = rect.width() * pb->getPF().bpp / 8;
 
   sws_scale(sws, frame->data, frame->linesize, 0, frame->height, &swsBuffer, &dst_linesize);
 
-  pb->imageRect(rect, swsBuffer, stride);
+  pb->imageRect(rect, swsBuffer);
 }