cpp/openttd-patchpack/source Changeset - r18046:e4ca03db3952

Changeset - r18046:e4ca03db3952

Parent rev.

Child rev.

[Not reviewed]

master

0 1 0

michi_cc - 13 years ago 2011-09-02 20:16:23
michi_cc@openttd.org

(svn r22871) -Fix [FS#4746]: Perform stricter checks on RLE compressed BMP images. (monoid)

1 file changed with 9 insertions and 4 deletions:

src/bmp.cpp

0 comments (0 inline, 0 general)

src/bmp.cpp

➞

Show inline comments

@@ @@ -143,6 +143,7 @@ static inline bool BmpRead4Rle(BmpBuffer @@
 			switch (c) {
 			case 0: // end of line
 				x = 0;
 				if (y == 0) return false;
 				pixel = &data->bitmap[--y * info->width];
 				break;
 			case 1: // end of bitmap
@@ @@ -153,7 +154,7 @@ static inline bool BmpRead4Rle(BmpBuffer @@
 			case 2: // delta
 				x += ReadByte(buffer);
 				i = ReadByte(buffer);
-				if (x >= info->width || (y == 0 && i > 0)) return false;
+				if (x >= info->width || i > y) return false;
 				y -= i;
 				pixel = &data->bitmap[y * info->width + x];
 				break;
@@ @@ -226,6 +227,7 @@ static inline bool BmpRead8Rle(BmpBuffer @@
 			switch (c) {
 			case 0: // end of line
 				x = 0;
 				if (y == 0) return false;
 				pixel = &data->bitmap[--y * info->width];
 				break;
 			case 1: // end of bitmap
@@ @@ -236,13 +238,16 @@ static inline bool BmpRead8Rle(BmpBuffer @@
 			case 2: // delta
 				x += ReadByte(buffer);
 				i = ReadByte(buffer);
-				if (x >= info->width || (y == 0 && i > 0)) return false;
+				if (x >= info->width || i > y) return false;
 				y -= i;
 				pixel = &data->bitmap[y * info->width + x];
 				break;
 			default: // uncompressed
 				if ((x += c) > info->width) return false;
 				for (i = 0; i < c; i++) *pixel++ = ReadByte(buffer);
 				for (i = 0; i < c; i++) {
 					if (EndOfBuffer(buffer) || x >= info->width) return false;
 					*pixel++ = ReadByte(buffer);
 					x++;
+				}
 				/* Padding for 16 bit align */
 				SkipBytes(buffer, c % 2);
 				break;

0 comments (0 inline, 0 general)