diff options
author | Vincent Sanders <vince@kyllikki.org> | 2016-08-13 21:14:38 +0100 |
---|---|---|
committer | Vincent Sanders <vince@kyllikki.org> | 2016-08-13 21:14:38 +0100 |
commit | 6dadfdcac3331d8f0a56342b973c59872f954e3c (patch) | |
tree | 9a11a9cfd68f5c64b2ef2b5c26968eb0b81e78db | |
parent | f04838b04eda130197c66a5ccccd9b4420557b95 (diff) | |
download | libnsbmp-6dadfdcac3331d8f0a56342b973c59872f954e3c.tar.gz libnsbmp-6dadfdcac3331d8f0a56342b973c59872f954e3c.tar.bz2 |
fix bounds checking in RLE decode
-rw-r--r-- | src/libnsbmp.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/libnsbmp.c b/src/libnsbmp.c index d4e4b08..dc73d94 100644 --- a/src/libnsbmp.c +++ b/src/libnsbmp.c @@ -932,7 +932,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s /* 00 - 00 means end of scanline */ x = 0; if (last_y == y) { - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; } last_y = y; @@ -972,7 +973,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s uint32_t idx = (uint32_t) *data++; if (x >= bmp->width) { x = 0; - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; scanline -= bmp->width; } @@ -984,7 +986,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s for (i = 0; i < length; i++) { if (x >= bmp->width) { x = 0; - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; scanline -= bmp->width; } @@ -1034,7 +1037,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s for (i = 0; i < length; i++) { if (x >= bmp->width) { x = 0; - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; scanline -= bmp->width; } @@ -1050,7 +1054,8 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s for (i = 0; i < length; i++) { if (x >= bmp->width) { x = 0; - if (++y > bmp->height) + y++; + if (y >= bmp->height) return BMP_DATA_ERROR; scanline -= bmp->width; } |