libnsbmp.c

netsurf Sat, 24 Jan 2009 00:43:07 -0800

Author: dynis
Date: Sat Jan 24 02:42:52 2009
New Revision: 6219

URL: http://source.netsurf-browser.org?rev=6219&view=rev
Log:
Add a few more boundary checks.


Modified:
    trunk/libnsbmp/libnsbmp.c

Modified: trunk/libnsbmp/libnsbmp.c
URL: 
http://source.netsurf-browser.org/trunk/libnsbmp/libnsbmp.c?rev=6219&r1=6218&r2=6219&view=diff
==============================================================================
--- trunk/libnsbmp/libnsbmp.c (original)
+++ trunk/libnsbmp/libnsbmp.c Sat Jan 24 02:42:52 2009
@@ -730,6 +730,8 @@
 
        /* Determine transparent index */
        if (bmp->limited_trans) {
+               if ((data + skip) > end)
+                       return BMP_INSUFFICIENT_DATA;
                if (bmp->encoding == BMP_ENCODING_BITFIELDS)
                        bmp->transparent_index = read_uint32(data, 0);
                else
@@ -739,6 +741,8 @@
        for (y = 0; y < bmp->height; y++) {
                while (addr != (((intptr_t)data) & 3))
                        data++;
+               if ((data + (skip * bmp->width)) > end)
+                       return BMP_INSUFFICIENT_DATA;
                if (bmp->reversed)
                        scanline = (uint32_t *)(top + (y * swidth));
                else
@@ -754,7 +758,7 @@
                                /* 32-bit BMPs have alpha masks, but sometimes 
they're not utilized */
                                if (bmp->opaque)
                                        scanline[x] |= (0xff << 24);
-                               data += 4;
+                               data += skip;
                        }
                } else {
                        for (x = 0; x < bmp->width; x++) {
@@ -799,11 +803,14 @@
        bmp->decoded = true;
 
        /* Determine transparent index */
-       if (bmp->limited_trans)
+       if (bmp->limited_trans) {
+               if ((data + 2) > end)
+                       return BMP_INSUFFICIENT_DATA;
                bmp->transparent_index = read_uint16(data, 0);
+       }
 
        for (y = 0; y < bmp->height; y++) {
-               if (addr != (((intptr_t)data) & 3))
+               while (addr != (((intptr_t)data) & 3))
                        data += 2;
                if ((data + (2 * bmp->width)) > end)
                        return BMP_INSUFFICIENT_DATA;
@@ -1067,6 +1074,10 @@
                        }
                        if (length > pixels_left)
                                length = pixels_left;
+                       
+                       /* boundary checking */
+                       if (data + 1 > end)
+                               return BMP_INSUFFICIENT_DATA;
 
                        /* the following code could be easily optimised by 
simply
                         * checking the bounds on entry and using some simply 
copying


_______________________________________________
netsurf-commits mailing list
[email protected]
http://vlists.pepperfish.net/cgi-bin/mailman/listinfo/netsurf-commits-netsurf-browser.org

r6219 dynis - /trunk/libnsbmp/libnsbmp.c

Reply via email to