$OpenBSD: patch-modules_codec_cdg_c,v 1.2 2011/04/12 22:40:20 sthen Exp $

Fix multiple heap-based buffer overflows. CVE-2011-0021

--- modules/codec/cdg.c.orig	Wed Jan 12 22:04:27 2011
+++ modules/codec/cdg.c	Wed Jan 12 22:06:35 2011
@@ -255,7 +255,13 @@ static int DecodeTileBlock( decoder_sys_t *p_cdg, cons
         for( x = 0; x < 6; x++ )
         {
             const int idx = ( p_data[4+y] >> (5-x) ) & 0x01;
-            uint8_t *p = &p_cdg->p_screen[(sy+y)*CDG_SCREEN_PITCH+(sx+x)];
+
+            int index = (sy+y)*CDG_SCREEN_PITCH+(sx+x);
+            if( index >= CDG_SCREEN_PITCH*CDG_SCREEN_HEIGHT )
+                return 0;
+
+            uint8_t *p = &p_cdg->p_screen[index];
+
             if( doXor )
                 *p ^= p_color[idx];
             else
@@ -320,8 +326,8 @@ static int DecodeScroll( decoder_sys_t *p_cdg, const u
 
             if( b_copy )
             {
-                dy = ( dy + CDG_SCREEN_HEIGHT ) % CDG_SCREEN_HEIGHT;
-                dy = ( dy + CDG_SCREEN_WIDTH  ) % CDG_SCREEN_WIDTH;
+                dy %= CDG_SCREEN_HEIGHT;
+                dx %= CDG_SCREEN_WIDTH;
             }
             else
             {
