Update of /cvsroot/libwpg/libwpg/src/lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16840/src/lib
Modified Files:
WPG1Parser.cpp
Log Message:
some more robustness checks
Index: WPG1Parser.cpp
===================================================================
RCS file: /cvsroot/libwpg/libwpg/src/lib/WPG1Parser.cpp,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -d -r1.45 -r1.46
--- WPG1Parser.cpp 24 Jul 2008 13:52:24 -0000 1.45
+++ WPG1Parser.cpp 24 Jul 2008 15:35:55 -0000 1.46
@@ -296,6 +296,8 @@
return;
unsigned startIndex = readU16();
unsigned numEntries = readU16();
+ if (startIndex > 255 || numEntries > 256 || startIndex + numEntries > 256)
+ return;
WPG_DEBUG_MSG(("Colormap\n"));
for(unsigned int i = 0; i < numEntries; i++)
@@ -506,9 +508,7 @@
void WPG1Parser::decodeRLE(std::vector<unsigned char>& buffer, unsigned width, unsigned height, unsigned depth)
{
buffer.clear();
- if (depth <= 0 || width <= 0 || height <= 0)
- return;
-
+
// This are the known depth values for WPG1, no point to try to decode others since they are likely to indicate corruption
if (depth != 8 && depth != 4 && depth != 2 && depth != 1)
return;
@@ -577,6 +577,9 @@
if(!buffer)
return;
+ if (depth != 8 && depth != 4 && depth != 2 && depth != 1)
+ return;
+
// round to the next byte
unsigned scanline_width = (width * depth + 7)/8;
@@ -667,6 +670,10 @@
WPG_DEBUG_MSG(("Horizontal resolution: %d\n", hres));
WPG_DEBUG_MSG((" Vertical resolution: %d\n", vres));
+ // if this happens, likely corruption, bail out.
+ if (depth != 1 && depth != 2 && depth != 4 && depth != 8)
+ return;
+
// Sanity checks
if(hres <= 0)
hres = 1200;
@@ -689,7 +696,7 @@
std::vector<unsigned char> buffer;
decodeRLE(buffer, width, height, depth);
- if (buffer.size())
+ if (buffer.size() && buffer.size() == (size_t)((width*depth + 7)/8)*height)
{
fillPixels(bitmap, &buffer[0], width, height, depth);
m_painter->drawBitmap(bitmap);
@@ -700,11 +707,7 @@
{
if (!m_graphicsStarted)
return;
-#ifdef DEBUG
int rotation = readS16();
-#else
- readS16();
-#endif
int x1 = readS16();
int y1 = readS16();
int x2 = readS16();
@@ -725,6 +728,12 @@
WPG_DEBUG_MSG(("Horizontal resolution: %d\n", hres));
WPG_DEBUG_MSG((" Vertical resolution: %d\n", vres));
+ // if this happens, likely corruption, bail out.
+ if (rotation < 0 || rotation > 359)
+ return;
+ if (depth != 1 && depth != 2 && depth != 4 && depth != 8)
+ return;
+
// Sanity checks
if(hres <= 0)
hres = 1200;
@@ -754,7 +763,7 @@
std::vector<unsigned char> buffer;
decodeRLE(buffer, width, height, depth);
- if (buffer.size())
+ if (buffer.size() && buffer.size() == (size_t)((width*depth + 7)/8)*height)
{
fillPixels(bitmap, &buffer[0], width, height, depth);
m_painter->drawBitmap(bitmap);
|
