Menu
▾
▴
[Libwpg-cvs] libwpg/src/lib WPG1Parser.cpp,1.45,1.46
|
From: Fridrich S. <str...@us...> - 2008-07-24 15:36:02
|
Update of /cvsroot/libwpg/libwpg/src/lib In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16840/src/lib Modified Files: WPG1Parser.cpp Log Message: some more robustness checks Index: WPG1Parser.cpp =================================================================== RCS file: /cvsroot/libwpg/libwpg/src/lib/WPG1Parser.cpp,v retrieving revision 1.45 retrieving revision 1.46 diff -u -d -r1.45 -r1.46 --- WPG1Parser.cpp 24 Jul 2008 13:52:24 -0000 1.45 +++ WPG1Parser.cpp 24 Jul 2008 15:35:55 -0000 1.46 @@ -296,6 +296,8 @@ return; unsigned startIndex = readU16(); unsigned numEntries = readU16(); + if (startIndex > 255 || numEntries > 256 || startIndex + numEntries > 256) + return; WPG_DEBUG_MSG(("Colormap\n")); for(unsigned int i = 0; i < numEntries; i++) @@ -506,9 +508,7 @@ void WPG1Parser::decodeRLE(std::vector<unsigned char>& buffer, unsigned width, unsigned height, unsigned depth) { buffer.clear(); - if (depth <= 0 || width <= 0 || height <= 0) - return; - + // This are the known depth values for WPG1, no point to try to decode others since they are likely to indicate corruption if (depth != 8 && depth != 4 && depth != 2 && depth != 1) return; @@ -577,6 +577,9 @@ if(!buffer) return; + if (depth != 8 && depth != 4 && depth != 2 && depth != 1) + return; + // round to the next byte unsigned scanline_width = (width * depth + 7)/8; @@ -667,6 +670,10 @@ WPG_DEBUG_MSG(("Horizontal resolution: %d\n", hres)); WPG_DEBUG_MSG((" Vertical resolution: %d\n", vres)); + // if this happens, likely corruption, bail out. + if (depth != 1 && depth != 2 && depth != 4 && depth != 8) + return; + // Sanity checks if(hres <= 0) hres = 1200; @@ -689,7 +696,7 @@ std::vector<unsigned char> buffer; decodeRLE(buffer, width, height, depth); - if (buffer.size()) + if (buffer.size() && buffer.size() == (size_t)((width*depth + 7)/8)*height) { fillPixels(bitmap, &buffer[0], width, height, depth); m_painter->drawBitmap(bitmap); @@ -700,11 +707,7 @@ { if (!m_graphicsStarted) return; -#ifdef DEBUG int rotation = readS16(); -#else - readS16(); -#endif int x1 = readS16(); int y1 = readS16(); int x2 = readS16(); @@ -725,6 +728,12 @@ WPG_DEBUG_MSG(("Horizontal resolution: %d\n", hres)); WPG_DEBUG_MSG((" Vertical resolution: %d\n", vres)); + // if this happens, likely corruption, bail out. + if (rotation < 0 || rotation > 359) + return; + if (depth != 1 && depth != 2 && depth != 4 && depth != 8) + return; + // Sanity checks if(hres <= 0) hres = 1200; @@ -754,7 +763,7 @@ std::vector<unsigned char> buffer; decodeRLE(buffer, width, height, depth); - if (buffer.size()) + if (buffer.size() && buffer.size() == (size_t)((width*depth + 7)/8)*height) { fillPixels(bitmap, &buffer[0], width, height, depth); m_painter->drawBitmap(bitmap); |
