[Libwpg-cvs] libwpg/src/lib WPG1Parser.cpp, 1.33.2.10, 1.33.2.11 WPG1Parser.h, 1.15.2.3, 1.15.2.4 WPG2Parser.cpp, 1.58.2.14, 1.58.2.15

[Fridrich S. <str...@us...>]

Update of /cvsroot/libwpg/libwpg/src/lib
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv10197/src/lib

Modified Files:
      Tag: STABLE-0-1-0
	WPG1Parser.cpp WPG1Parser.h WPG2Parser.cpp 
Log Message:
adding some more robustness to the parser

Index: WPG2Parser.cpp
===================================================================
RCS file: /cvsroot/libwpg/libwpg/src/lib/WPG2Parser.cpp,v
retrieving revision 1.58.2.14
retrieving revision 1.58.2.15
diff -u -d -r1.58.2.14 -r1.58.2.15
--- WPG2Parser.cpp	23 Jul 2008 15:05:30 -0000	1.58.2.14
+++ WPG2Parser.cpp	24 Jul 2008 13:53:04 -0000	1.58.2.15
@@ -1410,14 +1410,14 @@
 {
 	if (!m_graphicsStarted)
 		return;
-	unsigned long width = readU16();
-	unsigned long height = readU16();
+	unsigned width = readU16();
+	unsigned height = readU16();
 	unsigned color_format = readU8();
 	unsigned compression_format = readU8();
 
 	WPG_DEBUG_MSG(("     dimension : %g, %g  %g, %g\n", m_bitmap.x1, m_bitmap.y1, m_bitmap.x2, m_bitmap.y2));
-	WPG_DEBUG_MSG(("         width : %li pixels\n", width));
-	WPG_DEBUG_MSG(("        height : %li pixels\n", height));
+	WPG_DEBUG_MSG(("         width : %i pixels\n", width));
+	WPG_DEBUG_MSG(("        height : %i pixels\n", height));
 	WPG_DEBUG_MSG(("  color format : %d\n", color_format));
 	WPG_DEBUG_MSG(("   compression : %d (%s)\n", compression_format,
 		(compression_format==0) ? "uncompressed":
@@ -1425,8 +1425,8 @@
 
 	if (color_format > 12) // not documented and we are likely not knowing what to do with this
 		return;
-	unsigned long tmpBufferSize;
-	unsigned long raster_len = width;
+	unsigned tmpBufferSize;
+	unsigned raster_len = width;
 	if (color_format == 1)
 	{
 		tmpBufferSize = (width/8+1)*height;
@@ -1474,7 +1474,7 @@
 		WPG_DEBUG_MSG(("Decoding RLE data\n"));
 
 		// FIXME check for ptr, it should not go out of bound!!
-		while (m_input->tell() <= m_recordEnd && !m_input->atEOS())
+		while (m_input->tell() <= m_recordEnd && !m_input->atEOS() && buffer.size() < tmpBufferSize)
 		{
 			unsigned char opcode = readU8();
 			// specify data size
@@ -1584,7 +1584,9 @@
 				// current raster must be XORed with previous raster
 				unsigned current = next_scanline - raster_len;
 				unsigned previous = current - raster_len;
-				for( unsigned long r = 0; r < raster_len; r++)
+				if (current >= buffer.size() || previous >= buffer.size())
+					return;
+				for( unsigned r = 0; r < raster_len; r++)
 					buffer[current++] ^= buffer[previous++];
 
 			}
@@ -1597,7 +1599,7 @@
 	// no buffer? format is unknown 
 	if(!buffer.size()) return;
 	
-	for ( ; buffer.size() < tmpBufferSize; )
+	while (buffer.size() < tmpBufferSize)
 		buffer.push_back(0);
 
 	// prepare the bitmap structure for the listener

Index: WPG1Parser.h
===================================================================
RCS file: /cvsroot/libwpg/libwpg/src/lib/WPG1Parser.h,v
retrieving revision 1.15.2.3
retrieving revision 1.15.2.4
diff -u -d -r1.15.2.3 -r1.15.2.4
--- WPG1Parser.h	23 Jul 2008 09:54:17 -0000	1.15.2.3
+++ WPG1Parser.h	24 Jul 2008 13:53:04 -0000	1.15.2.4
@@ -55,8 +55,8 @@
 	
 	void handleCurvedPolyline();
 
-	void decodeRLE(std::vector<unsigned char>& buffer, int width, int height, int depth);
-	void fillPixels(libwpg::WPGBitmap& bitmap, const unsigned char* buffer, int width, int height, int depth);
+	void decodeRLE(std::vector<unsigned char>& buffer, unsigned width, unsigned height, unsigned depth);
+	void fillPixels(libwpg::WPGBitmap& bitmap, const unsigned char* buffer, unsigned width, unsigned height, unsigned depth);
 	void handleBitmapTypeOne();
 	void handleBitmapTypeTwo();
 	void handlePostscriptTypeOne();

Index: WPG1Parser.cpp
===================================================================
RCS file: /cvsroot/libwpg/libwpg/src/lib/WPG1Parser.cpp,v
retrieving revision 1.33.2.10
retrieving revision 1.33.2.11
diff -u -d -r1.33.2.10 -r1.33.2.11
--- WPG1Parser.cpp	23 Jul 2008 15:05:30 -0000	1.33.2.10
+++ WPG1Parser.cpp	24 Jul 2008 13:53:04 -0000	1.33.2.11
@@ -502,21 +502,26 @@
 	WPG_DEBUG_MSG(("Curved Polyline\n"));
 }
 
-void WPG1Parser::decodeRLE(std::vector<unsigned char>& buffer, int width, int height, int depth)
+void WPG1Parser::decodeRLE(std::vector<unsigned char>& buffer, unsigned width, unsigned height, unsigned depth)
 {
 	buffer.clear();
 	if (depth <= 0 || width <= 0 || height <= 0)
 		return;
+	
+	// This are the known depth values for WPG1, no point to try to decode others since they are likely to indicate corruption
+	if (depth != 8 && depth != 4 && depth != 2 && depth != 1)
+		return;
 
 	// round to the next byte
 	unsigned scanline_width = (width * depth + 7)/8;
 	unsigned tmpBufferSize = scanline_width * height;
-	buffer.reserve(tmpBufferSize);
 	WPG_DEBUG_MSG(("Scanline width: %d\n", scanline_width));
 	WPG_DEBUG_MSG(("Output size: %d\n", scanline_width * height));
 
 	WPG_DEBUG_MSG(("Decoding RLE data\n"));
-	for(; m_input->tell() < m_recordEnd; )
+
+	buffer.reserve(tmpBufferSize);
+ 	while (m_input->tell() < m_recordEnd && !m_input->atEOS() && buffer.size() < tmpBufferSize)
 	{
 		unsigned char opcode = readU8();
 
@@ -561,11 +566,11 @@
 	WPG_DEBUG_MSG(("Finish decoding RLE data\n"));
 	WPG_DEBUG_MSG(("Buffer length: %li\n", (long)buffer.size()));
 	
-	for ( ; buffer.size() < tmpBufferSize ; )
+	while (buffer.size() < tmpBufferSize)
 		buffer.push_back(0);
 }
 
-void WPG1Parser::fillPixels(libwpg::WPGBitmap& bitmap, const unsigned char* buffer, int width, int height, int depth)
+void WPG1Parser::fillPixels(libwpg::WPGBitmap& bitmap, const unsigned char* buffer, unsigned width, unsigned height, unsigned depth)
 {
 	// sanity
 	if(!buffer)
@@ -579,10 +584,10 @@
 	{
 		libwpg::WPGColor black(0, 0, 0);
 		libwpg::WPGColor white(255, 255, 255);
-		for(int y = 0; y < height; y++)
+		for(unsigned y = 0; y < height; y++)
 		{
 			const unsigned char* buf = buffer + y * scanline_width;
-			for(int x = 0; x < width; x++)
+			for(unsigned x = 0; x < width; x++)
 				if(buf[x/8] & (0x80 >> (x & 7)))
 					bitmap.setPixel(x, y, white);
 				else
@@ -592,9 +597,9 @@
 	// 2-bit image: 4-color bitmap (indexed)
 	else if(depth == 2)
 	{
-		int i = 0;
-		for (int y = 0; y < height; y++)
-		for (int x = 0; x < width; x++, i++)
+		unsigned i = 0;
+		for (unsigned y = 0; y < height; y++)
+		for (unsigned x = 0; x < width; x++, i++)
 		{
 			if ((x==0) && (i % 4 != 0))
 				i = (i/4 + 1) * 4;
@@ -606,9 +611,9 @@
 	// 4 -bit image: 16-colour bitmap (indexed)
 	else if(depth == 4)
 	{
-		int i = 0;
-		for (int y = 0; y < height; y++)
-		for (int x = 0; x < width; x++, i++)
+		unsigned i = 0;
+		for (unsigned y = 0; y < height; y++)
+		for (unsigned x = 0; x < width; x++, i++)
 		{
 			if ((x==0) && (i % 2 != 0))
 				i = (i/2 + 1) * 2;
@@ -620,10 +625,10 @@
 	// 8-bit image: 256-colour image (indexed)
 	else if(depth == 8)
 	{
-		for(int y = 0; y < height; y++)
+		for(unsigned y = 0; y < height; y++)
 		{
 			const unsigned char* buf = buffer + y * scanline_width;
-			for(int x = 0; x < width; x++)
+			for(unsigned x = 0; x < width; x++)
 			{
 				const libwpg::WPGColor& color = m_colorPalette[buf[x]];
 				bitmap.setPixel(x, y, color);
@@ -635,8 +640,8 @@
 	// debugging only
 	if(buffer && 0)
 	{
-		for(int x = 0; x < width; x++)
-		for(int y = 0; y < height; y++)
+		for(unsigned x = 0; x < width; x++)
+		for(unsigned y = 0; y < height; y++)
 		{
 			libwpg::WPGColor color = bitmap.pixel(x,y);
 			WPG_DEBUG_MSG((" pixel at %d, %d: %3d %3d %3d\n", x, y, color.red, color.green, color.blue));