diff options
author | michi_cc <michi_cc@openttd.org> | 2011-09-02 20:16:23 +0000 |
---|---|---|
committer | michi_cc <michi_cc@openttd.org> | 2011-09-02 20:16:23 +0000 |
commit | 73624abd5e699077ab043ef03d7178a3ef0c4728 (patch) | |
tree | 13f9106a6fac171b5952f2e1aabdf9e7224d0af6 | |
parent | be818a5f9547868c7507b5e2936869bac1431511 (diff) | |
download | openttd-73624abd5e699077ab043ef03d7178a3ef0c4728.tar.xz |
(svn r22871) -Fix [FS#4746]: Perform stricter checks on RLE compressed BMP images. (monoid)
-rw-r--r-- | src/bmp.cpp | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/bmp.cpp b/src/bmp.cpp index 2c85c768b..d39f6198e 100644 --- a/src/bmp.cpp +++ b/src/bmp.cpp @@ -143,6 +143,7 @@ static inline bool BmpRead4Rle(BmpBuffer *buffer, BmpInfo *info, BmpData *data) switch (c) { case 0: // end of line x = 0; + if (y == 0) return false; pixel = &data->bitmap[--y * info->width]; break; case 1: // end of bitmap @@ -153,7 +154,7 @@ static inline bool BmpRead4Rle(BmpBuffer *buffer, BmpInfo *info, BmpData *data) case 2: // delta x += ReadByte(buffer); i = ReadByte(buffer); - if (x >= info->width || (y == 0 && i > 0)) return false; + if (x >= info->width || i > y) return false; y -= i; pixel = &data->bitmap[y * info->width + x]; break; @@ -226,6 +227,7 @@ static inline bool BmpRead8Rle(BmpBuffer *buffer, BmpInfo *info, BmpData *data) switch (c) { case 0: // end of line x = 0; + if (y == 0) return false; pixel = &data->bitmap[--y * info->width]; break; case 1: // end of bitmap @@ -236,13 +238,16 @@ static inline bool BmpRead8Rle(BmpBuffer *buffer, BmpInfo *info, BmpData *data) case 2: // delta x += ReadByte(buffer); i = ReadByte(buffer); - if (x >= info->width || (y == 0 && i > 0)) return false; + if (x >= info->width || i > y) return false; y -= i; pixel = &data->bitmap[y * info->width + x]; break; default: // uncompressed - if ((x += c) > info->width) return false; - for (i = 0; i < c; i++) *pixel++ = ReadByte(buffer); + for (i = 0; i < c; i++) { + if (EndOfBuffer(buffer) || x >= info->width) return false; + *pixel++ = ReadByte(buffer); + x++; + } /* Padding for 16 bit align */ SkipBytes(buffer, c % 2); break; |