X-Git-Url: https://git.saurik.com/wxWidgets.git/blobdiff_plain/8907154c1a8a6882c6797d1f16393ddfb23e7f3a..0be274189380d9de3c60836dab2fc080f21f88ee:/src/common/gifdecod.cpp diff --git a/src/common/gifdecod.cpp b/src/common/gifdecod.cpp index 5d9b295a6e..4b3e6ddc87 100644 --- a/src/common/gifdecod.cpp +++ b/src/common/gifdecod.cpp @@ -1,5 +1,5 @@ ///////////////////////////////////////////////////////////////////////////// -// Name: gifdecod.cpp +// Name: src/common/gifdecod.cpp // Purpose: wxGIFDecoder, GIF reader for wxImage and wxAnimation // Author: Guillermo Rodriguez Garcia // Version: 3.04 @@ -12,16 +12,15 @@ #include "wx/wxprec.h" #ifdef __BORLANDC__ -# pragma hdrstop + #pragma hdrstop #endif +#if wxUSE_STREAMS && wxUSE_GIF + #ifndef WX_PRECOMP -# include "wx/defs.h" -# include "wx/palette.h" + #include "wx/palette.h" #endif -#if wxUSE_STREAMS && wxUSE_GIF - #include #include #include "wx/gifdecod.h" @@ -142,21 +141,18 @@ bool wxGIFDecoder::ConvertToImage(wxImage *image) const image->SetMask(false); #if wxUSE_PALETTE - if (pal) - { - unsigned char r[256]; - unsigned char g[256]; - unsigned char b[256]; - - for (i = 0; i < 256; i++) - { - r[i] = pal[3*i + 0]; - g[i] = pal[3*i + 1]; - b[i] = pal[3*i + 2]; - } + unsigned char r[256]; + unsigned char g[256]; + unsigned char b[256]; - image->SetPalette(wxPalette(256, r, g, b)); + for (i = 0; i < 256; i++) + { + r[i] = pal[3*i + 0]; + g[i] = pal[3*i + 1]; + b[i] = pal[3*i + 2]; } + + image->SetPalette(wxPalette(256, r, g, b)); #endif // wxUSE_PALETTE /* copy image data */ @@ -470,6 +466,25 @@ int wxGIFDecoder::dgif(GIFImage *img, int interl, int bits) /* make new entry in alphabet (only if NOT just cleared) */ if (lastcode != -1) { + // Normally, after the alphabet is full and can't grow any + // further (ab_free == 4096), encoder should (must?) emit CLEAR + // to reset it. This checks whether we really got it, otherwise + // the GIF is damaged. + if (ab_free > ab_max) + { + delete[] ab_prefix; + delete[] ab_tail; + delete[] stack; + return wxGIF_INVFORMAT; + } + + // This assert seems unnecessary since the condition above + // eliminates the only case in which it went false. But I really + // don't like being forced to ask "Who in .text could have + // written there?!" And I wouldn't have been forced to ask if + // this line had already been here. + wxASSERT(ab_free < allocSize); + ab_prefix[ab_free] = lastcode; ab_tail[ab_free] = code; ab_free++; @@ -675,6 +690,11 @@ int wxGIFDecoder::ReadGIF() m_screenw = buf[0] + 256 * buf[1]; m_screenh = buf[2] + 256 * buf[3]; + if ((m_screenw == 0) || (m_screenh == 0)) + { + return wxGIF_INVFORMAT; + } + /* load global color map if available */ if ((buf[4] & 0x80) == 0x80) { @@ -701,7 +721,7 @@ int wxGIFDecoder::ReadGIF() bool done = false; - while(!done) + while (!done) { type = (unsigned char)m_f->GetC(); @@ -797,7 +817,7 @@ int wxGIFDecoder::ReadGIF() pimg->w = buf[4] + 256 * buf[5]; pimg->h = buf[6] + 256 * buf[7]; - if (pimg->w == 0 || pimg->h == 0) + if ((pimg->w == 0) || (pimg->w > m_screenw) || (pimg->h == 0) || (pimg->h > m_screenh)) { Destroy(); return wxGIF_INVFORMAT; @@ -843,6 +863,11 @@ int wxGIFDecoder::ReadGIF() /* get initial code size from first byte in raster data */ bits = (unsigned char)m_f->GetC(); + if (bits == 0) + { + Destroy(); + return wxGIF_INVFORMAT; + } /* decode image */ int result = dgif(pimg, interl, bits); @@ -859,7 +884,7 @@ int wxGIFDecoder::ReadGIF() } } - if (m_nimages == 0) + if (m_nimages <= 0) { Destroy(); return wxGIF_INVFORMAT;