summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSean Fox <dyntryx@gmail.com>2009-01-24 08:42:52 +0000
committerSean Fox <dyntryx@gmail.com>2009-01-24 08:42:52 +0000
commit45968abbfb5060f56cfcd19e9d82afc4797b9455 (patch)
tree4997c686361c41204249ac7e5c4498c90059958e
parentf3be3ae4dbbe09576b66a30322b61a40e0119cab (diff)
downloadlibnsbmp-45968abbfb5060f56cfcd19e9d82afc4797b9455.tar.gz
libnsbmp-45968abbfb5060f56cfcd19e9d82afc4797b9455.tar.bz2
Add a few more boundary checks.
svn path=/trunk/libnsbmp/; revision=6219
-rw-r--r--libnsbmp.c17
1 files changed, 14 insertions, 3 deletions
diff --git a/libnsbmp.c b/libnsbmp.c
index 6437139..6dd2107 100644
--- a/libnsbmp.c
+++ b/libnsbmp.c
@@ -730,6 +730,8 @@ static bmp_result bmp_decode_rgb24(bmp_image *bmp, uint8_t **start, int bytes) {
/* Determine transparent index */
if (bmp->limited_trans) {
+ if ((data + skip) > end)
+ return BMP_INSUFFICIENT_DATA;
if (bmp->encoding == BMP_ENCODING_BITFIELDS)
bmp->transparent_index = read_uint32(data, 0);
else
@@ -739,6 +741,8 @@ static bmp_result bmp_decode_rgb24(bmp_image *bmp, uint8_t **start, int bytes) {
for (y = 0; y < bmp->height; y++) {
while (addr != (((intptr_t)data) & 3))
data++;
+ if ((data + (skip * bmp->width)) > end)
+ return BMP_INSUFFICIENT_DATA;
if (bmp->reversed)
scanline = (uint32_t *)(top + (y * swidth));
else
@@ -754,7 +758,7 @@ static bmp_result bmp_decode_rgb24(bmp_image *bmp, uint8_t **start, int bytes) {
/* 32-bit BMPs have alpha masks, but sometimes they're not utilized */
if (bmp->opaque)
scanline[x] |= (0xff << 24);
- data += 4;
+ data += skip;
}
} else {
for (x = 0; x < bmp->width; x++) {
@@ -799,11 +803,14 @@ static bmp_result bmp_decode_rgb16(bmp_image *bmp, uint8_t **start, int bytes) {
bmp->decoded = true;
/* Determine transparent index */
- if (bmp->limited_trans)
+ if (bmp->limited_trans) {
+ if ((data + 2) > end)
+ return BMP_INSUFFICIENT_DATA;
bmp->transparent_index = read_uint16(data, 0);
+ }
for (y = 0; y < bmp->height; y++) {
- if (addr != (((intptr_t)data) & 3))
+ while (addr != (((intptr_t)data) & 3))
data += 2;
if ((data + (2 * bmp->width)) > end)
return BMP_INSUFFICIENT_DATA;
@@ -1067,6 +1074,10 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s
}
if (length > pixels_left)
length = pixels_left;
+
+ /* boundary checking */
+ if (data + 1 > end)
+ return BMP_INSUFFICIENT_DATA;
/* the following code could be easily optimised by simply
* checking the bounds on entry and using some simply copying