X-Git-Url: https://git.saurik.com/wxWidgets.git/blobdiff_plain/8898456df4728afe7d100011e0e23b0ffb9a6341..ae901b234c4a0aa7c1777b3bd181dd7f8517ad21:/src/common/imagpcx.cpp
diff --git a/src/common/imagpcx.cpp b/src/common/imagpcx.cpp
index c8b42f3b0a..05f1d66a5e 100644
--- a/src/common/imagpcx.cpp
+++ b/src/common/imagpcx.cpp
@@ -18,18 +18,17 @@
#if wxUSE_IMAGE && wxUSE_PCX
#ifndef WX_PRECOMP
+ #include "wx/object.h"
+ #include "wx/list.h"
#include "wx/log.h"
#include "wx/intl.h"
#include "wx/palette.h"
+ #include "wx/hash.h"
+ #include "wx/module.h"
#endif
#include "wx/imagpcx.h"
#include "wx/wfstream.h"
-#include "wx/module.h"
-
-#include "wx/hash.h"
-#include "wx/list.h"
-#include "wx/object.h"
//-----------------------------------------------------------------------------
// wxPCXHandler
@@ -88,17 +87,15 @@ void RLEencode(unsigned char *p, unsigned int size, wxOutputStream& s)
void RLEdecode(unsigned char *p, unsigned int size, wxInputStream& s)
{
- unsigned int i, data, cont;
-
// Read 'size' bytes. The PCX official specs say there will be
// a decoding break at the end of each scanline (but not at the
// end of each plane inside a scanline). Only use this function
// to read one or more _complete_ scanlines. Else, more than
// 'size' bytes might be read and the buffer might overflow.
- while (size > 0)
+ while (size != 0)
{
- data = (unsigned char)s.GetC();
+ unsigned int data = (unsigned char)s.GetC();
// If ((data & 0xC0) != 0xC0), then the value read is a data
// byte. Else, it is a counter (cont = val & 0x3F) and the
@@ -111,9 +108,11 @@ void RLEdecode(unsigned char *p, unsigned int size, wxInputStream& s)
}
else
{
- cont = data & 0x3F;
+ unsigned int cont = data & 0x3F;
+ if (cont > size) // can happen only if the file is malformed
+ break;
data = (unsigned char)s.GetC();
- for (i = 1; i <= cont; i++)
+ for (unsigned int i = 1; i <= cont; i++)
*(p++) = (unsigned char)data;
size -= cont;
}