Makes sense to me. Robert Wilhelm's patch for 1876 CVS: ---------------------------------------------------------------------- CVS: Enter Log. Lines beginning with `CVS:' are removed automatically CVS: CVS: Committing in . CVS: CVS: Modified Files: CVS: src/wp/impexp/xp/ie_impGraphic_BMP.cpp CVS: ----------------------------------------------------------------------
On Fri, 4 Jan 2002, Robert Wilhelm wrote: > In this dokument we load a pic with m_iWidth=182 > and m_iBitsPerPlane 24, > resulting in row_width 3*182 = 546. > > The old code then rounded to next multiple of 4, that is 548, > but was later accesing row_transformed_data[548] resulting in > memory corruption. > > IMHO the right fix is to round to next multiple of 3 instead. > > [robert@gaston xp]$ cvs diff ie_impGraphic_BMP.cpp > Index: ie_impGraphic_BMP.cpp > =================================================================== > RCS file: /cvsroot/abi/src/wp/impexp/xp/ie_impGraphic_BMP.cpp,v > retrieving revision 1.10 > diff -u -r1.10 ie_impGraphic_BMP.cpp > --- ie_impGraphic_BMP.cpp 2001/11/12 15:36:56 1.10 > +++ ie_impGraphic_BMP.cpp 2002/01/03 23:13:11 > @@ -320,7 +320,7 @@ > UT_uint32 col; > UT_uint32 position; > UT_uint32 row_width = m_iWidth * m_iBitsPerPlane / 8; > - while ((row_width & 3) != 0) row_width++; > + while ((row_width % 3) != 0) row_width++; > UT_Byte* row_transformed_data = new UT_Byte[row_width]; > > switch (m_iBitsPerPlane) > > >
