4:39 a.m.
Gitweb links:
...log
http://git.netsurf-browser.org/libnsbmp.git/shortlog/041df43bbe273b082913...
...commit
http://git.netsurf-browser.org/libnsbmp.git/commit/041df43bbe273b0829132b...
...tree
http://git.netsurf-browser.org/libnsbmp.git/tree/041df43bbe273b0829132b0b...
The branch, master has been updated
via 041df43bbe273b0829132b0b17d89a69da2927d4 (commit)
via 49427b52ba41a1813e3822301612e2e170107efd (commit)
via 52940fdee6ca54c556cc064974949ba18c30472f (commit)
from efe7e0fa3c13e51ae987765e43ff882f49fc8a3e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commitdiff
http://git.netsurf-browser.org/libnsbmp.git/commit/?id=041df43bbe273b0829...
commit 041df43bbe273b0829132b0b17d89a69da2927d4
Author: John-Mark Bell <jmb(a)netsurf-browser.org>
Commit: John-Mark Bell <jmb(a)netsurf-browser.org>
Range check colour table accesses.
Issue-reported-by: Hans Jerry Illikainen
diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index 64aed18..123ed9e 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -865,8 +865,12 @@ static bmp_result bmp_decode_rgb(bmp_image *bmp, uint8_t **start, int
bytes) {
bmp->decoded = true;
/* Determine transparent index */
- if (bmp->limited_trans)
- bmp->transparent_index = bmp->colour_table[(*data >> bit_shifts[0]) &
bit_mask];
+ if (bmp->limited_trans) {
+ uint32_t idx = (*data >> bit_shifts[0]) & bit_mask;
+ if (idx >= bmp->colours)
+ return BMP_DATA_ERROR;
+ bmp->transparent_index = bmp->colour_table[idx];
+ }
for (y = 0; y < bmp->height; y++) {
while (addr != (((intptr_t)data) & 3))
@@ -879,11 +883,15 @@ static bmp_result bmp_decode_rgb(bmp_image *bmp, uint8_t **start,
int bytes) {
else
scanline = (void *)(bottom - (y * swidth));
for (x = 0; x < bmp->width; x++) {
+ uint32_t idx;
if (bit >= ppb) {
bit = 0;
cur_byte = *data++;
}
- scanline[x] = bmp->colour_table[(cur_byte >> bit_shifts[bit++]) &
bit_mask];
+ idx = (cur_byte >> bit_shifts[bit++]) & bit_mask;
+ if (idx >= bmp->colours)
+ return BMP_DATA_ERROR;
+ scanline[x] = bmp->colour_table[idx];
if ((bmp->limited_trans) && (scanline[x] == bmp->transparent_index))
scanline[x] = bmp->trans_colour;
}
@@ -1014,13 +1022,16 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data,
int bytes, int s
* routines if so */
if (size == 8) {
for (i = 0; i < length; i++) {
+ uint32_t idx = (uint32_t) *data++;
if (x >= bmp->width) {
x = 0;
if (++y > bmp->height)
return BMP_DATA_ERROR;
scanline -= bmp->width;
}
- scanline[x++] = bmp->colour_table[(int)*data++];
+ if (idx >= bmp->colours)
+ return BMP_DATA_ERROR;
+ scanline[x++] = bmp->colour_table[idx];
}
} else {
for (i = 0; i < length; i++) {
@@ -1032,9 +1043,13 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int
bytes, int s
}
if ((i & 1) == 0) {
pixel = *data++;
+ if ((pixel >> 4) >= bmp->colours)
+ return BMP_DATA_ERROR;
scanline[x++] = bmp->colour_table
[pixel >> 4];
} else {
+ if ((pixel & 0xf) >= bmp->colours)
+ return BMP_DATA_ERROR;
scanline[x++] = bmp->colour_table
[pixel & 0xf];
}
@@ -1065,7 +1080,10 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int
bytes, int s
* checking the bounds on entry and using some simply copying
* routines if so */
if (size == 8) {
- pixel = bmp->colour_table[(int)*data++];
+ uint32_t idx = (uint32_t) *data++;
+ if (idx >= bmp->colours)
+ return BMP_DATA_ERROR;
+ pixel = bmp->colour_table[idx];
for (i = 0; i < length; i++) {
if (x >= bmp->width) {
x = 0;
@@ -1077,6 +1095,9 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int
bytes, int s
}
} else {
pixel2 = *data++;
+ if ((pixel2 >> 4) >= bmp->colours ||
+ (pixel2 & 0xf) >= bmp->colours)
+ return BMP_DATA_ERROR;
pixel = bmp->colour_table[pixel2 >> 4];
pixel2 = bmp->colour_table[pixel2 & 0xf];
for (i = 0; i < length; i++) {
diff --git a/test/bmpsuite/coloob.bmp b/test/bmpsuite/coloob.bmp
new file mode 100644
index 0000000..49214f7
Binary files /dev/null and b/test/bmpsuite/coloob.bmp differ
commitdiff
http://git.netsurf-browser.org/libnsbmp.git/commit/?id=49427b52ba41a1813e...
commit 49427b52ba41a1813e3822301612e2e170107efd
Author: John-Mark Bell <jmb(a)netsurf-browser.org>
Commit: John-Mark Bell <jmb(a)netsurf-browser.org>
Fix pixels_left calculation in RLE decoding.
Additionally, improve input data range check for RLE4
absolute mode.
Issue-reported-by: Hans Jerry Illikainen
diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index d432aeb..64aed18 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -997,15 +997,16 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int
bytes, int s
} else {
/* 00 - NN means escape NN pixels */
if (bmp->reversed) {
- pixels_left = (y + 1) * bmp->width - x;
+ pixels_left = (bmp->height - y) * bmp->width - x;
scanline = (void *)(top + (y * swidth));
} else {
- pixels_left = (bmp->height - y + 1) * bmp->width - x;
+ pixels_left = (y + 1) * bmp->width - x;
scanline = (void *)(bottom - (y * swidth));
}
if (length > pixels_left)
length = pixels_left;
- if (data + length > end)
+ if ((size == 4 && data + ((length + 1) / 2) > end) ||
+ (size == 8 && data + length > end))
return BMP_INSUFFICIENT_DATA;
/* the following code could be easily optimised by simply
@@ -1047,10 +1048,10 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data,
int bytes, int s
} else {
/* NN means perform RLE for NN pixels */
if (bmp->reversed) {
- pixels_left = (y + 1) * bmp->width - x;
+ pixels_left = (bmp->height - y) * bmp->width - x;
scanline = (void *)(top + (y * swidth));
} else {
- pixels_left = (bmp->height - y + 1) * bmp->width - x;
+ pixels_left = (y + 1) * bmp->width - x;
scanline = (void *)(bottom - (y * swidth));
}
if (length > pixels_left)
diff --git a/test/bmpsuite/rleof.bmp b/test/bmpsuite/rleof.bmp
new file mode 100644
index 0000000..05807f3
Binary files /dev/null and b/test/bmpsuite/rleof.bmp differ
commitdiff
http://git.netsurf-browser.org/libnsbmp.git/commit/?id=52940fdee6ca54c556...
commit 52940fdee6ca54c556cc064974949ba18c30472f
Author: John-Mark Bell <jmb(a)netsurf-browser.org>
Commit: John-Mark Bell <jmb(a)netsurf-browser.org>
Trivial spelling fix
diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index 5d20d7c..d432aeb 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -470,7 +470,7 @@ static bmp_result bmp_analyse_header(bmp_image *bmp, uint8_t *data) {
break;
}
/* Bitfield encoding means we have red, green, blue, and alpha masks.
- * Here we aquire the masks and determine the required bit shift to
+ * Here we acquire the masks and determine the required bit shift to
* align them in our 24-bit color 8-bit alpha format.
*/
if (bmp->encoding == BMP_ENCODING_BITFIELDS) {
-----------------------------------------------------------------------
Summary of changes:
src/libnsbmp.c | 44 +++++++++++++++++++++++++++++++++-----------
test/bmpsuite/coloob.bmp | Bin 0 -> 126 bytes
test/bmpsuite/rleof.bmp | Bin 0 -> 157 bytes
3 files changed, 33 insertions(+), 11 deletions(-)
create mode 100644 test/bmpsuite/coloob.bmp
create mode 100644 test/bmpsuite/rleof.bmp
diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index 5d20d7c..123ed9e 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -470,7 +470,7 @@ static bmp_result bmp_analyse_header(bmp_image *bmp, uint8_t *data) {
break;
}
/* Bitfield encoding means we have red, green, blue, and alpha masks.
- * Here we aquire the masks and determine the required bit shift to
+ * Here we acquire the masks and determine the required bit shift to
* align them in our 24-bit color 8-bit alpha format.
*/
if (bmp->encoding == BMP_ENCODING_BITFIELDS) {
@@ -865,8 +865,12 @@ static bmp_result bmp_decode_rgb(bmp_image *bmp, uint8_t **start, int
bytes) {
bmp->decoded = true;
/* Determine transparent index */
- if (bmp->limited_trans)
- bmp->transparent_index = bmp->colour_table[(*data >> bit_shifts[0]) &
bit_mask];
+ if (bmp->limited_trans) {
+ uint32_t idx = (*data >> bit_shifts[0]) & bit_mask;
+ if (idx >= bmp->colours)
+ return BMP_DATA_ERROR;
+ bmp->transparent_index = bmp->colour_table[idx];
+ }
for (y = 0; y < bmp->height; y++) {
while (addr != (((intptr_t)data) & 3))
@@ -879,11 +883,15 @@ static bmp_result bmp_decode_rgb(bmp_image *bmp, uint8_t **start,
int bytes) {
else
scanline = (void *)(bottom - (y * swidth));
for (x = 0; x < bmp->width; x++) {
+ uint32_t idx;
if (bit >= ppb) {
bit = 0;
cur_byte = *data++;
}
- scanline[x] = bmp->colour_table[(cur_byte >> bit_shifts[bit++]) &
bit_mask];
+ idx = (cur_byte >> bit_shifts[bit++]) & bit_mask;
+ if (idx >= bmp->colours)
+ return BMP_DATA_ERROR;
+ scanline[x] = bmp->colour_table[idx];
if ((bmp->limited_trans) && (scanline[x] == bmp->transparent_index))
scanline[x] = bmp->trans_colour;
}
@@ -997,15 +1005,16 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int
bytes, int s
} else {
/* 00 - NN means escape NN pixels */
if (bmp->reversed) {
- pixels_left = (y + 1) * bmp->width - x;
+ pixels_left = (bmp->height - y) * bmp->width - x;
scanline = (void *)(top + (y * swidth));
} else {
- pixels_left = (bmp->height - y + 1) * bmp->width - x;
+ pixels_left = (y + 1) * bmp->width - x;
scanline = (void *)(bottom - (y * swidth));
}
if (length > pixels_left)
length = pixels_left;
- if (data + length > end)
+ if ((size == 4 && data + ((length + 1) / 2) > end) ||
+ (size == 8 && data + length > end))
return BMP_INSUFFICIENT_DATA;
/* the following code could be easily optimised by simply
@@ -1013,13 +1022,16 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data,
int bytes, int s
* routines if so */
if (size == 8) {
for (i = 0; i < length; i++) {
+ uint32_t idx = (uint32_t) *data++;
if (x >= bmp->width) {
x = 0;
if (++y > bmp->height)
return BMP_DATA_ERROR;
scanline -= bmp->width;
}
- scanline[x++] = bmp->colour_table[(int)*data++];
+ if (idx >= bmp->colours)
+ return BMP_DATA_ERROR;
+ scanline[x++] = bmp->colour_table[idx];
}
} else {
for (i = 0; i < length; i++) {
@@ -1031,9 +1043,13 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int
bytes, int s
}
if ((i & 1) == 0) {
pixel = *data++;
+ if ((pixel >> 4) >= bmp->colours)
+ return BMP_DATA_ERROR;
scanline[x++] = bmp->colour_table
[pixel >> 4];
} else {
+ if ((pixel & 0xf) >= bmp->colours)
+ return BMP_DATA_ERROR;
scanline[x++] = bmp->colour_table
[pixel & 0xf];
}
@@ -1047,10 +1063,10 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data,
int bytes, int s
} else {
/* NN means perform RLE for NN pixels */
if (bmp->reversed) {
- pixels_left = (y + 1) * bmp->width - x;
+ pixels_left = (bmp->height - y) * bmp->width - x;
scanline = (void *)(top + (y * swidth));
} else {
- pixels_left = (bmp->height - y + 1) * bmp->width - x;
+ pixels_left = (y + 1) * bmp->width - x;
scanline = (void *)(bottom - (y * swidth));
}
if (length > pixels_left)
@@ -1064,7 +1080,10 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int
bytes, int s
* checking the bounds on entry and using some simply copying
* routines if so */
if (size == 8) {
- pixel = bmp->colour_table[(int)*data++];
+ uint32_t idx = (uint32_t) *data++;
+ if (idx >= bmp->colours)
+ return BMP_DATA_ERROR;
+ pixel = bmp->colour_table[idx];
for (i = 0; i < length; i++) {
if (x >= bmp->width) {
x = 0;
@@ -1076,6 +1095,9 @@ static bmp_result bmp_decode_rle(bmp_image *bmp, uint8_t *data, int
bytes, int s
}
} else {
pixel2 = *data++;
+ if ((pixel2 >> 4) >= bmp->colours ||
+ (pixel2 & 0xf) >= bmp->colours)
+ return BMP_DATA_ERROR;
pixel = bmp->colour_table[pixel2 >> 4];
pixel2 = bmp->colour_table[pixel2 & 0xf];
for (i = 0; i < length; i++) {
diff --git a/test/bmpsuite/coloob.bmp b/test/bmpsuite/coloob.bmp
new file mode 100644
index 0000000..49214f7
Binary files /dev/null and b/test/bmpsuite/coloob.bmp differ
diff --git a/test/bmpsuite/rleof.bmp b/test/bmpsuite/rleof.bmp
new file mode 100644
index 0000000..05807f3
Binary files /dev/null and b/test/bmpsuite/rleof.bmp differ
--
NetSurf BMP Decoder
2864
days inactive
2864
days old
netsurf-commits@netsurf-browser.org
0 comments
1 participants
participants (1)
-
NetSurf Browser Project