From 7ba3ea913f550426aea519752b7f982eebbcaf64 Mon Sep 17 00:00:00 2001 From: Antony Lee Date: Thu, 6 Jun 2019 11:40:34 +0200 Subject: [PATCH] Fix out of bounds read in backend_tk. Really, we should specify somewhere how rounding of bboxes passed to blit() (and to copy_from_bbox()) works, but at least this patch will avoid out-of-bounds reads in the tk blit. --- lib/matplotlib/backends/_backend_tk.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/matplotlib/backends/_backend_tk.py b/lib/matplotlib/backends/_backend_tk.py index cee3c3ca6bd2..6d41a547ec3f 100644 --- a/lib/matplotlib/backends/_backend_tk.py +++ b/lib/matplotlib/backends/_backend_tk.py @@ -67,8 +67,11 @@ def blit(photoimage, aggimage, offsets, bbox=None): dataptr = (height, width, data.ctypes.data) if bbox is not None: (x1, y1), (x2, y2) = bbox.__array__() - bboxptr = (math.floor(x1), math.ceil(x2), - math.floor(y1), math.ceil(y2)) + x1 = max(math.floor(x1), 0) + x2 = min(math.ceil(x2), width) + y1 = max(math.floor(y1), 0) + y2 = min(math.ceil(y2), height) + bboxptr = (x1, x2, y1, y2) else: photoimage.blank() bboxptr = (0, width, 0, height)