]> git.saurik.com Git - wxWidgets.git/blobdiff - src/common/imagbmp.cpp
fixing overrelease and out-of-bounds write, fixes #13725
[wxWidgets.git] / src / common / imagbmp.cpp
index 3e7a128d101005f7a473af6a8fe8b66475bc28b8..f3c7f8c0407e52159932787bdc8a69a2972227e0 100644 (file)
 // For memcpy
 #include <string.h>
 
+// ----------------------------------------------------------------------------
+// private functions
+// ----------------------------------------------------------------------------
+
+#if wxUSE_ICO_CUR
+
+static bool CanReadICOOrCUR(wxInputStream *stream, wxUint16 resourceType);
+
+#endif // wxUSE_ICO_CUR
+
 //-----------------------------------------------------------------------------
 // wxBMPHandler
 //-----------------------------------------------------------------------------
@@ -81,7 +91,7 @@ bool wxBMPHandler::SaveDib(wxImage *image,
 {
     wxCHECK_MSG( image, false, wxT("invalid pointer in wxBMPHandler::SaveFile") );
 
-    if ( !image->Ok() )
+    if ( !image->IsOk() )
     {
         if ( verbose )
         {
@@ -136,8 +146,8 @@ bool wxBMPHandler::SaveDib(wxImage *image,
     }
 
     unsigned width = image->GetWidth();
-    unsigned row_padding = (4 - int(width*bpp/8.0) % 4) % 4; // # bytes to pad to dword
-    unsigned row_width = int(width * bpp/8.0) + row_padding; // # of bytes per row
+    unsigned row_padding = (4 - ((width * bpp + 7) / 8) % 4) % 4; // # bytes to pad to dword
+    unsigned row_width = (width * bpp + 7) / 8 + row_padding; // # of bytes per row
 
     struct
     {
@@ -341,7 +351,7 @@ bool wxBMPHandler::SaveDib(wxImage *image,
 
     // pointer to the image data, use quantized if available
     wxUint8 *data = (wxUint8*) image->GetData();
-    if (q_image) if (q_image->Ok()) data = (wxUint8*) q_image->GetData();
+    if (q_image) if (q_image->IsOk()) data = (wxUint8*) q_image->GetData();
 
     wxUint8 *buffer = new wxUint8[row_width];
     memset(buffer, 0, row_width);
@@ -523,6 +533,14 @@ bool wxBMPHandler::DoLoadDib(wxImage * image, int width, int height,
 
     wxON_BLOCK_EXIT1(&BMPPalette::Free, cmap);
 
+    bool isUpsideDown = true;
+
+    if (height < 0)
+    {
+        isUpsideDown = false;
+        height = -height;
+    }
+
     // destroy existing here instead of:
     image->Destroy();
     image->Create(width, height);
@@ -684,9 +702,18 @@ bool wxBMPHandler::DoLoadDib(wxImage * image, int width, int height,
 
     int linesize = ((width * bpp + 31) / 32) * 4;
 
-    /* BMPs are stored upside down */
-    for ( int line = (height - 1); line >= 0; line-- )
+    // flag indicating if we have any not fully transparent alpha values: this
+    // is used to account for the bitmaps which use 32bpp format (normally
+    // meaning that they have alpha channel) but have only zeroes in it so that
+    // without this hack they appear fully transparent -- and as this is
+    // unlikely intentional, we consider that they don't have alpha at all in
+    // this case (see #10915)
+    bool hasValidAlpha = false;
+
+    for ( int row = 0; row < height; row++ )
     {
+        int line = isUpsideDown ? height - 1 - row : row;
+
         int linepos = 0;
         for ( int column = 0; column < width ; )
         {
@@ -716,21 +743,24 @@ bool wxBMPHandler::DoLoadDib(wxImage * image, int width, int height,
                         {
                             if ( aByte == 0 )
                             {
-                                if ( column > 0 )
-                                    column = width;
+                                // end of scanline marker
+                                column = width;
+                                row--;
                             }
                             else if ( aByte == 1 )
                             {
+                                // end of RLE data marker, stop decoding
                                 column = width;
-                                line = -1;
+                                row = height;
                             }
                             else if ( aByte == 2 )
                             {
+                                // delta marker, move in image
                                 aByte = stream.GetC();
                                 column += aByte;
                                 linepos = column * bpp / 4;
                                 aByte = stream.GetC();
-                                line -= aByte; // upside down
+                                row += aByte; // upside down
                             }
                             else
                             {
@@ -799,20 +829,24 @@ bool wxBMPHandler::DoLoadDib(wxImage * image, int width, int height,
                         {
                             if ( aByte == 0 )
                             {
-                                /* column = width; */
+                                // end of scanline marker
+                                column = width;
+                                row--;
                             }
                             else if ( aByte == 1 )
                             {
+                                // end of RLE data marker, stop decoding
                                 column = width;
-                                line = -1;
+                                row = height;
                             }
                             else if ( aByte == 2 )
                             {
+                                // delta marker, move in image
                                 aByte = stream.GetC();
                                 column += aByte;
                                 linepos = column * bpp / 8;
                                 aByte = stream.GetC();
-                                line += aByte;
+                                row -= aByte;
                             }
                             else
                             {
@@ -895,6 +929,9 @@ bool wxBMPHandler::DoLoadDib(wxImage * image, int width, int height,
                 {
                     temp = (unsigned char)((aDword & amask) >> ashift);
                     alpha[line * width + column] = temp;
+
+                    if ( temp != wxALPHA_TRANSPARENT )
+                        hasValidAlpha = true;
                 }
                 column++;
             }
@@ -910,6 +947,13 @@ bool wxBMPHandler::DoLoadDib(wxImage * image, int width, int height,
 
     image->SetMask(false);
 
+    // check if we had any valid alpha values in this bitmap
+    if ( alpha && !hasValidAlpha )
+    {
+        // we didn't, so finally discard the alpha channel completely
+        image->ClearAlpha();
+    }
+
     const wxStreamError err = stream.GetLastError();
     return err == wxSTREAM_NO_ERROR || err == wxSTREAM_EOF;
 }
@@ -1221,7 +1265,7 @@ bool wxICOHandler::SaveFile(wxImage *image,
         // wxCountingOutputStream::IsOk() always returns true for now and this
         // "if" provokes VC++ warnings in optimized build
 #if 0
-        if ( !cStream.Ok() )
+        if ( !cStream.IsOk() )
         {
             if ( verbose )
             {
@@ -1307,6 +1351,11 @@ bool wxICOHandler::SaveFile(wxImage *image,
 bool wxICOHandler::LoadFile(wxImage *image, wxInputStream& stream,
                             bool verbose, int index)
 {
+    if ( stream.IsSeekable() && stream.SeekI(0) == wxInvalidOffset )
+    {
+        return false;
+    }
+
     return DoLoadFile(image, stream, verbose, index);
 }
 
@@ -1395,10 +1444,16 @@ bool wxICOHandler::DoLoadFile(wxImage *image, wxInputStream& stream,
 
 int wxICOHandler::DoGetImageCount(wxInputStream& stream)
 {
+    // It's ok to modify the stream position in this function.
+
+    if ( stream.IsSeekable() && stream.SeekI(0) == wxInvalidOffset )
+    {
+        return 0;
+    }
+
     ICONDIR IconDir;
 
     if (stream.Read(&IconDir, sizeof(IconDir)).LastRead() != sizeof(IconDir))
-             // it's ok to modify the stream position here
         return 0;
 
     return (int)wxUINT16_SWAP_ON_BE(IconDir.idCount);
@@ -1406,12 +1461,8 @@ int wxICOHandler::DoGetImageCount(wxInputStream& stream)
 
 bool wxICOHandler::DoCanRead(wxInputStream& stream)
 {
-    unsigned char hdr[4];
-    if ( !stream.Read(hdr, WXSIZEOF(hdr)) )     // it's ok to modify the stream position here
-        return false;
+    return CanReadICOOrCUR(&stream, 1 /*for identifying an icon*/);
 
-    // hdr[2] is one for an icon and two for a cursor
-    return hdr[0] == '\0' && hdr[1] == '\0' && hdr[2] == '\1' && hdr[3] == '\0';
 }
 
 #endif // wxUSE_STREAMS
@@ -1427,12 +1478,7 @@ IMPLEMENT_DYNAMIC_CLASS(wxCURHandler, wxICOHandler)
 
 bool wxCURHandler::DoCanRead(wxInputStream& stream)
 {
-    unsigned char hdr[4];
-    if ( !stream.Read(hdr, WXSIZEOF(hdr)) )     // it's ok to modify the stream position here
-        return false;
-
-    // hdr[2] is one for an icon and two for a cursor
-    return hdr[0] == '\0' && hdr[1] == '\0' && hdr[2] == '\2' && hdr[3] == '\0';
+    return CanReadICOOrCUR(&stream, 2 /*for identifying a cursor*/);
 }
 
 #endif // wxUSE_STREAMS
@@ -1471,6 +1517,26 @@ int wxANIHandler::DoGetImageCount(wxInputStream& stream)
     return decoder.GetFrameCount();
 }
 
+static bool CanReadICOOrCUR(wxInputStream *stream, wxUint16 resourceType)
+{
+    // It's ok to modify the stream position in this function.
+
+    if ( stream->IsSeekable() && stream->SeekI(0) == wxInvalidOffset )
+    {
+        return false;
+    }
+
+    ICONDIR iconDir;
+    if ( !stream->Read(&iconDir, sizeof(iconDir)) )
+    {
+        return false;
+    }
+
+    return !iconDir.idReserved // reserved, must be 0
+        && wxUINT16_SWAP_ON_BE(iconDir.idType) == resourceType // either 1 or 2
+        && iconDir.idCount; // must contain at least one image
+}
+
 #endif // wxUSE_STREAMS
 
 #endif // wxUSE_ICO_CUR