AtlasEngine: Fix out-of-bounds row access in PaintCursor (#20269)#20363
Closed
yuu61 wants to merge 1 commit into
Closed
AtlasEngine: Fix out-of-bounds row access in PaintCursor (#20269)#20363yuu61 wants to merge 1 commit into
yuu61 wants to merge 1 commit into
Conversation
…0269) PaintCursor indexed _p.rows[options.coordCursor.y] without clamping the row index. coordCursor.y is relative to the renderer's viewport, which can momentarily disagree with AtlasEngine's own viewport (_p.s->viewportCellCount.y, the size of _p.rows) when the viewport dimensions change. When the renderer's viewport is taller than AtlasEngine's current one, Renderer::_PaintCursor still treats the cursor as in-viewport and calls PaintCursor, but coordCursor.y can exceed _p.rows.size(), causing an out-of-bounds read and an access violation. Clamp the row index to [0, viewportCellCount.y - 1] before indexing _p.rows, matching every other Paint*() method in this file. The _p.rows slots always point into _p.unorderedRows, so any in-bounds index yields a valid ShapedRow*. Only the lookup index is clamped; top/bottom keep their raw values so cursorRect still collapses to empty when the cursor is genuinely outside the viewport. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
yuu61
force-pushed
the
fix-20269-paintcursor-oob
branch
from
1507a6d to
2ee40c8
Compare
Member
|
I would rather understand why the backing buffer is not being resized under the same lock as the cursor move. Fixing a symptom is not fixing the problem. |
This was referenced Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
AtlasEngine::PaintCursorindexes_p.rows[options.coordCursor.y]without clamping the row index.coordCursor.yis relative to the renderer's viewport, which can momentarily disagree with AtlasEngine's own viewport (_p.s->viewportCellCount.y, the size of_p.rows) when the viewport dimensions change. When the renderer's viewport is taller than AtlasEngine's current one,Renderer::_PaintCursorstill treats the cursor as in-viewport and callsPaintCursor, butcoordCursor.ycan exceed_p.rows.size(), causing an out-of-bounds read and an access violation.Every other method in this file that indexes
_p.rowsfrom an external coordinate already clamps it to[0, viewportCellCount.y - 1]first (PrepareLineTransform,PaintBufferLine,PaintBufferGridLines,PaintImageSlice). This makesPaintCursorconsistent with them.References and Relevant Issues
Fixes #20269
Detailed Description of the Pull Request / Additional comments
_p.rowsslots always point into_p.unorderedRows(set up in_recreateCellCountDependentResources), so any in-bounds index yields a validShapedRow*. Clamping the index therefore fully eliminates the out-of-bounds access — there is no remaining in-bounds-dangling case to guard against._p.rowslookup is clamped.top/bottomkeep their raw values, so when the cursor is genuinely outside AtlasEngine's current viewport,cursorRectstill collapses to an empty rect (bottom <= top⇒til::rect::operator bool()isfalse) and nothing is drawn — no behavioral change for the in-viewport case.Validation Steps Performed
AtlasEngine::PaintCursorreading_p.rows[<index>]with an out-of-range index (index = 77in one dump), matching the disassembly already posted in AtlasEngine::PaintCursor crashes #20269.src/renderer/atlas/atlas.vcxproj(Debug | x64) locally with the change: compiles cleanly, 0 warnings / 0 errors.