]> git.saurik.com Git - wxWidgets.git/blobdiff - src/common/imaggif.cpp
Fix out of bounds string access in wxMSW wxDirDialog.
[wxWidgets.git] / src / common / imaggif.cpp
index 75e8f73def579c2d4300051fb1f4f3572c396299..b90bd8fb99502b18b5f49bccb86a4131dc0d2cd2 100644 (file)
@@ -92,8 +92,7 @@ static bool wxGIFHandler_Write(wxOutputStream *, const void *buf, size_t len);
 static bool wxGIFHandler_WriteByte(wxOutputStream *, wxUint8);
 static bool wxGIFHandler_WriteWord(wxOutputStream *, wxUint16);
 static bool wxGIFHandler_WriteHeader(wxOutputStream *, int width, int height,
-    bool loop, const wxRGB *pal, int palCount,
-    const wxString& comment = wxEmptyString);
+    bool loop, const wxRGB *pal, int palCount);
 static bool wxGIFHandler_WriteRect(wxOutputStream *, int width, int height);
 #if wxUSE_PALETTE
 static bool wxGIFHandler_WriteTerm(wxOutputStream *);
@@ -225,10 +224,13 @@ bool wxGIFHandler::DoSaveFile(const wxImage& image, wxOutputStream *stream,
     if (first)
     {
         ok = wxGIFHandler_WriteHeader(stream, width, height, loop,
-            pal, palCount, image.GetOption(wxIMAGE_OPTION_GIF_COMMENT));
+            pal, palCount);
     }
 
-    ok = ok && wxGIFHandler_WriteControl(stream, maskIndex, delayMilliSecs)
+    ok = ok
+        && wxGIFHandler_WriteComment(stream,
+            image.GetOption(wxIMAGE_OPTION_GIF_COMMENT))
+        && wxGIFHandler_WriteControl(stream, maskIndex, delayMilliSecs)
         && wxGIFHandler_WriteByte(stream, GIF_MARKER_SEP)
         && wxGIFHandler_WriteRect(stream, width, height);
 
@@ -645,7 +647,7 @@ bool wxGIFHandler_WriteWord(wxOutputStream *stream, wxUint16 word)
 }
 
 bool wxGIFHandler_WriteHeader(wxOutputStream *stream, int width, int height,
-    bool loop, const wxRGB *pal, int palCount, const wxString& comment)
+    bool loop, const wxRGB *pal, int palCount)
 {
     const int bpp = wxGIFHandler_BitSize(palCount);
     wxUint8 buf[3];
@@ -667,11 +669,6 @@ bool wxGIFHandler_WriteHeader(wxOutputStream *stream, int width, int height,
        ok = ok && wxGIFHandler_WriteLoop(stream);
     }
 
-    if ( !comment.empty() )
-    {
-       ok = ok && wxGIFHandler_WriteComment(stream, comment);
-    }
-
     return ok;
 }
 
@@ -739,18 +736,44 @@ bool wxGIFHandler_WriteControl(wxOutputStream *stream,
 
 bool wxGIFHandler_WriteComment(wxOutputStream *stream, const wxString& comment)
 {
-    wxUint8 buf[3];
-    wxCharBuffer text(comment.mb_str());
-    size_t len = strlen(text.data());
-    len = wxMin(len, 255);
+    if ( comment.empty() )
+    {
+        return true;
+    }
 
+    // Write comment header.
+    wxUint8 buf[2];
     buf[0] = GIF_MARKER_EXT;
     buf[1] = GIF_MARKER_EXT_COMMENT;
-    buf[2] = (wxUint8)len;
+    if ( !wxGIFHandler_Write(stream, buf, sizeof(buf)) )
+    {
+        return false;
+    }
 
-    return wxGIFHandler_Write(stream, buf, sizeof(buf))
-        && wxGIFHandler_Write(stream, text.data(), len)
-        && wxGIFHandler_WriteZero(stream);
+    /*
+    If comment is longer than 255 bytes write it in blocks of maximum 255
+    bytes each.
+    */
+    wxCharBuffer text( comment.mb_str() );
+
+    size_t pos = 0, fullLength = text.length();
+
+    do
+    {
+        size_t blockLength = wxMin(fullLength - pos, 255);
+
+        if ( !wxGIFHandler_WriteByte(stream, (wxUint8) blockLength)
+            || !wxGIFHandler_Write(stream, &text.data()[pos], blockLength) )
+        {
+            return false;
+        }
+
+        pos += blockLength;
+    }while (pos < fullLength);
+
+
+    // Write comment footer.
+    return wxGIFHandler_WriteZero(stream);
 }
 
 bool wxGIFHandler_WriteLoop(wxOutputStream *stream)