Mercurial > hg > dmlib
comparison tools/lib64gfx.c @ 1597:501e31f11c29
Fix RLE decoder bounds checks for compressed sequences.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Mon, 14 May 2018 07:27:31 +0300 |
| parents | 3cc7b2aadda3 |
| children | e28e67358ff6 |
comparison
equal
deleted
inserted
replaced
| 1596:9bc23e64f565 | 1597:501e31f11c29 |
|---|---|
| 311 case DM_COMP_RLE_MARKER1: | 311 case DM_COMP_RLE_MARKER1: |
| 312 case DM_COMP_RLE_MARKER2: | 312 case DM_COMP_RLE_MARKER2: |
| 313 // A simple marker byte RLE variant: [Marker] [count] [data] | 313 // A simple marker byte RLE variant: [Marker] [count] [data] |
| 314 if (data == cfg->rleMarker) | 314 if (data == cfg->rleMarker) |
| 315 { | 315 { |
| 316 if (srcEnd - src < 2) | 316 if (srcEnd - src + 1 < 2) |
| 317 { | 317 { |
| 318 res = DMERR_INVALID_DATA; | 318 res = DMERR_INVALID_DATA; |
| 319 goto err; | 319 goto err; |
| 320 } | 320 } |
| 321 | 321 |
| 337 case DM_COMP_RLE_MASK: | 337 case DM_COMP_RLE_MASK: |
| 338 // Mask marker RLE: usually high bit(s) of byte mark RLE sequence | 338 // Mask marker RLE: usually high bit(s) of byte mark RLE sequence |
| 339 // and the lower bits contain the count: [Mask + count] [data] | 339 // and the lower bits contain the count: [Mask + count] [data] |
| 340 if ((data & cfg->rleMask1) == cfg->rleMarker) | 340 if ((data & cfg->rleMask1) == cfg->rleMarker) |
| 341 { | 341 { |
| 342 if (srcEnd - src < 1) | 342 if (srcEnd - src + 1 < 1) |
| 343 { | 343 { |
| 344 res = DMERR_INVALID_DATA; | 344 res = DMERR_INVALID_DATA; |
| 345 goto err; | 345 goto err; |
| 346 } | 346 } |
| 347 | 347 |