From 49427b52ba41a1813e3822301612e2e170107efd Mon Sep 17 00:00:00 2001 From: John-Mark Bell Date: Fri, 20 Nov 2015 03:03:36 +0000 Subject: Fix pixels_left calculation in RLE decoding. Additionally, improve input data range check for RLE4 absolute mode. Issue-reported-by: Hans Jerry Illikainen --- src/libnsbmp.c | 11 ++++++----- test/bmpsuite/rleof.bmp | Bin 0 -> 157 bytes 2 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 test/bmpsuite/rleof.bmp diff --git a/src/libnsbmp.c b/src/libnsbmp.c index d432aeb..64aed18 100644 --- a/src/libnsbmp.c +++ b/src/libnsbmp.c @@ -997,15 +997,16 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s } else { /* 00 - NN means escape NN pixels */ if (bmp->reversed) { - pixels_left = (y + 1) * bmp->width - x; + pixels_left = (bmp->height - y) * bmp->width - x; scanline = (void *)(top + (y * swidth)); } else { - pixels_left = (bmp->height - y + 1) * bmp->width - x; + pixels_left = (y + 1) * bmp->width - x; scanline = (void *)(bottom - (y * swidth)); } if (length > pixels_left) length = pixels_left; - if (data + length > end) + if ((size == 4 && data + ((length + 1) / 2) > end) || + (size == 8 && data + length > end)) return BMP_INSUFFICIENT_DATA; /* the following code could be easily optimised by simply @@ -1047,10 +1048,10 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int bytes, int s } else { /* NN means perform RLE for NN pixels */ if (bmp->reversed) { - pixels_left = (y + 1) * bmp->width - x; + pixels_left = (bmp->height - y) * bmp->width - x; scanline = (void *)(top + (y * swidth)); } else { - pixels_left = (bmp->height - y + 1) * bmp->width - x; + pixels_left = (y + 1) * bmp->width - x; scanline = (void *)(bottom - (y * swidth)); } if (length > pixels_left) diff --git a/test/bmpsuite/rleof.bmp b/test/bmpsuite/rleof.bmp new file mode 100644 index 0000000..05807f3 Binary files /dev/null and b/test/bmpsuite/rleof.bmp differ -- cgit v1.2.1