From 6dadfdcac3331d8f0a56342b973c59872f954e3c Mon Sep 17 00:00:00 2001 From: Vincent Sanders Date: Sat, 13 Aug 2016 21:14:38 +0100 Subject: fix bounds checking in RLE decode --- src/libnsbmp.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/libnsbmp.c b/src/libnsbmp.c index d4e4b08..dc73d94 100644 --- a/src/libnsbmp.c +++ b/src/libnsbmp.c @@ -932,7 +932,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s /* 00 - 00 means end of scanline */ x = 0; if (last_y == y) { - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; } last_y = y; @@ -972,7 +973,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s uint32_t idx = (uint32_t) *data++; if (x >= bmp->width) { x = 0; - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; scanline -= bmp->width; } @@ -984,7 +986,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s for (i = 0; i < length; i++) { if (x >= bmp->width) { x = 0; - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; scanline -= bmp->width; } @@ -1034,7 +1037,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s for (i = 0; i < length; i++) { if (x >= bmp->width) { x = 0; - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; scanline -= bmp->width; } @@ -1050,7 +1054,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s for (i = 0; i < length; i++) { if (x >= bmp->width) { x = 0; - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; scanline -= bmp->width; } -- cgit v1.2.3