summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn-Mark Bell <jmb@netsurf-browser.org>2015-11-20 03:03:36 (GMT)
committer John-Mark Bell <jmb@netsurf-browser.org>2015-11-20 14:14:09 (GMT)
commit49427b52ba41a1813e3822301612e2e170107efd (patch)
treefbb18262f65f0a007658c8883a9f4682b26b86bd
parent52940fdee6ca54c556cc064974949ba18c30472f (diff)
downloadlibnsbmp-49427b52ba41a1813e3822301612e2e170107efd.tar.gz
libnsbmp-49427b52ba41a1813e3822301612e2e170107efd.tar.bz2
Fix pixels_left calculation in RLE decoding.
Additionally, improve input data range check for RLE4 absolute mode. Issue-reported-by: Hans Jerry Illikainen
-rw-r--r--src/libnsbmp.c11
-rw-r--r--test/bmpsuite/rleof.bmpbin0 -> 157 bytes
2 files changed, 6 insertions, 5 deletions
diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index d432aeb..64aed18 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -997,15 +997,16 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s
} else {
/* 00 - NN means escape NN pixels */
if (bmp->reversed) {
- pixels_left = (y + 1) * bmp->width - x;
+ pixels_left = (bmp->height - y) * bmp->width - x;
scanline = (void *)(top + (y * swidth));
} else {
- pixels_left = (bmp->height - y + 1) * bmp->width - x;
+ pixels_left = (y + 1) * bmp->width - x;
scanline = (void *)(bottom - (y * swidth));
}
if (length > pixels_left)
length = pixels_left;
- if (data + length > end)
+ if ((size == 4 && data + ((length + 1) / 2) > end) ||
+ (size == 8 && data + length > end))
return BMP_INSUFFICIENT_DATA;
/* the following code could be easily optimised by simply
@@ -1047,10 +1048,10 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s
} else {
/* NN means perform RLE for NN pixels */
if (bmp->reversed) {
- pixels_left = (y + 1) * bmp->width - x;
+ pixels_left = (bmp->height - y) * bmp->width - x;
scanline = (void *)(top + (y * swidth));
} else {
- pixels_left = (bmp->height - y + 1) * bmp->width - x;
+ pixels_left = (y + 1) * bmp->width - x;
scanline = (void *)(bottom - (y * swidth));
}
if (length > pixels_left)
diff --git a/test/bmpsuite/rleof.bmp b/test/bmpsuite/rleof.bmp
new file mode 100644
index 0000000..05807f3
--- a/dev/null
+++ b/test/bmpsuite/rleof.bmp
Binary files differ