diff options
author | John-Mark Bell <jmb@netsurf-browser.org> | 2015-11-20 03:03:36 +0000 |
---|---|---|
committer | John-Mark Bell <jmb@netsurf-browser.org> | 2015-11-20 14:14:09 +0000 |
commit | 49427b52ba41a1813e3822301612e2e170107efd (patch) | |
tree | fbb18262f65f0a007658c8883a9f4682b26b86bd | |
parent | 52940fdee6ca54c556cc064974949ba18c30472f (diff) | |
download | libnsbmp-49427b52ba41a1813e3822301612e2e170107efd.tar.gz libnsbmp-49427b52ba41a1813e3822301612e2e170107efd.tar.bz2 |
Fix pixels_left calculation in RLE decoding.
Additionally, improve input data range check for RLE4
absolute mode.
Issue-reported-by: Hans Jerry Illikainen
-rw-r--r-- | src/libnsbmp.c | 11 | ||||
-rw-r--r-- | test/bmpsuite/rleof.bmp | bin | 0 -> 157 bytes |
2 files changed, 6 insertions, 5 deletions
diff --git a/src/libnsbmp.c b/src/libnsbmp.c index d432aeb..64aed18 100644 --- a/src/libnsbmp.c +++ b/src/libnsbmp.c @@ -997,15 +997,16 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s } else { /* 00 - NN means escape NN pixels */ if (bmp->reversed) { - pixels_left = (y + 1) * bmp->width - x; + pixels_left = (bmp->height - y) * bmp->width - x; scanline = (void *)(top + (y * swidth)); } else { - pixels_left = (bmp->height - y + 1) * bmp->width - x; + pixels_left = (y + 1) * bmp->width - x; scanline = (void *)(bottom - (y * swidth)); } if (length > pixels_left) length = pixels_left; - if (data + length > end) + if ((size == 4 && data + ((length + 1) / 2) > end) || + (size == 8 && data + length > end)) return BMP_INSUFFICIENT_DATA; /* the following code could be easily optimised by simply @@ -1047,10 +1048,10 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s } else { /* NN means perform RLE for NN pixels */ if (bmp->reversed) { - pixels_left = (y + 1) * bmp->width - x; + pixels_left = (bmp->height - y) * bmp->width - x; scanline = (void *)(top + (y * swidth)); } else { - pixels_left = (bmp->height - y + 1) * bmp->width - x; + pixels_left = (y + 1) * bmp->width - x; scanline = (void *)(bottom - (y * swidth)); } if (length > pixels_left) diff --git a/test/bmpsuite/rleof.bmp b/test/bmpsuite/rleof.bmp Binary files differnew file mode 100644 index 0000000..05807f3 --- /dev/null +++ b/test/bmpsuite/rleof.bmp |