--- a/ImageReader.st Mon Jan 19 17:33:48 1998 +0100
+++ b/ImageReader.st Mon Jan 19 18:16:05 1998 +0100
@@ -450,7 +450,7 @@
};
static int
-__decodeLZW__(from, to, inCount)
+__decodeLZW__(from, to, inCount, fromSize, toSize)
unsigned char *from;
unsigned char *to;
{
@@ -468,8 +468,12 @@
int i;
int len;
int codeLen = 9;
+ unsigned char *fromEnd, *toEnd;
int ret = 1; /* return success */
+ fromEnd = from + fromSize;
+ toEnd = to + toSize;
+
scratchBuffer = (struct buffer *)malloc(sizeof(struct buffer));
if (! scratchBuffer) return 0;
@@ -541,6 +545,11 @@
nBits -= codeLen;
if (code == 257) break;
/* add to output */
+ if (to >= toEnd) {
+ fprintf(stderr, "ImageReader [warning]: LZW outBuffer overrun\n");
+ ret = 0;
+ break;
+ }
*to++ = code;
oldCode = code;
} else {
@@ -578,6 +587,11 @@
/* writeString(string[oldCode] + first(string[oldCode]) ) */
len = stringLen[oldCode];
+ if ((to+len) >= toEnd) {
+ fprintf(stderr, "ImageReader [warning]: LZW outBuffer overrun\n");
+ ret = 0;
+ goto out;
+ }
bcopy(strings[oldCode], to, len);
to += len;
*to++ = strings[oldCode][0];
@@ -627,6 +641,10 @@
free(strings);
free(stringLen);
+ if (from > fromEnd) {
+ fprintf(stderr, "ImageReader [warning]: LZW inBuffer overrun\n");
+ ret = 0;
+ }
return ret;
}
@@ -657,7 +675,7 @@
* GIF decompression
*/
static int
-__decodeGIF__(from, to, inCount, initialCodeLen)
+__decodeGIF__(from, to, inCount, initialCodeLen, fromSize, toSize)
unsigned char *from;
unsigned char *to;
{
@@ -669,13 +687,18 @@
unsigned maxCode, oldCode, fin, inCode, curCode;
register unsigned bits;
register int nBits, mask, shift;
+ int ret = 1;
int i;
int len;
int endCode, clearCode, freeCode;
int codeLen = initialCodeLen;
+ unsigned char *fromEnd, *toEnd;
static int ranges[] = {0, 1, 2, 4, 8, 16, 32, 64,
128, 256, 512, 1024, 2048 };
+ fromEnd = from + fromSize;
+ toEnd = to + toSize;
+
if ((unsigned)codeLen > 12) {
fprintf(stderr, "ImageReader [warning]: bad codelen in gif-decode\n");
return 0;
@@ -709,12 +732,14 @@
inCount--;
nBits += 8;
}
+ if (inCount <= 0)
+ break;
code = bits & mask;
bits >>= codeLen;
nBits -= codeLen;
if (code == endCode) break;
if (code == clearCode) {
- if (! inCount)
+ if (inCount <= 0)
break;
codeLen = initialCodeLen;
@@ -728,11 +753,18 @@
inCount--;
nBits += 8;
}
+ if (inCount <= 0)
+ break;
code = bits & mask;
bits >>= codeLen;
nBits -= codeLen;
if (code == endCode) break;
/* add to output */
+ if (to >= toEnd) {
+ fprintf(stderr, "ImageReader [warning]: GIF outBuffer overrun\n");
+ ret = 0;
+ break;
+ }
*to++ = code;
oldCode = fin = curCode = code;
} else {
@@ -753,6 +785,11 @@
fin = curCode;
outCode[outCount++] = fin;
+ if ((to+outCount) >= toEnd) {
+ fprintf(stderr, "ImageReader [warning]: GIF outBuffer overrun\n");
+ ret = 0;
+ break;
+ }
for (i = outCount - 1; i >= 0; i--)
*to++ = outCode[i];
outCount = 0;
@@ -776,7 +813,11 @@
free(suffix);
free(outCode);
- return 1;
+ if (from > fromEnd) {
+ fprintf(stderr, "ImageReader [warning]: GIF inBuffer overrun\n");
+ ret = 0;
+ }
+ return ret;
}
/*
@@ -1117,9 +1158,9 @@
&& __isByteArray(dstBytes)
&& __bothSmallInteger(offset, count)) {
if (__decodeCCITTgroup3__(_ByteArrayInstPtr(srcBytes)->ba_element,
- _ByteArrayInstPtr(dstBytes)->ba_element
- + _intVal(offset) - 1,
- _intVal(count))) {
+ _ByteArrayInstPtr(dstBytes)->ba_element
+ + _intVal(offset) - 1,
+ _intVal(count))) {
RETURN ( self );
}
}
@@ -1137,11 +1178,14 @@
&& __isByteArray(dstBytes)
&& __bothSmallInteger(codeLen, offset)
&& __isSmallInteger(count)) {
- if (__decodeGIF__(_ByteArrayInstPtr(srcBytes)->ba_element,
- _ByteArrayInstPtr(dstBytes)->ba_element
- + _intVal(offset) - 1,
- _intVal(count),
- _intVal(codeLen))) {
+ if (__decodeGIF__(__ByteArrayInstPtr(srcBytes)->ba_element,
+ __ByteArrayInstPtr(dstBytes)->ba_element
+ +__intVal(offset) - 1,
+ __intVal(count),
+ __intVal(codeLen),
+ __byteArraySize(srcBytes),
+ __byteArraySize(dstBytes)
+ )) {
RETURN ( self );
}
}
@@ -1158,10 +1202,13 @@
if (__isByteArray(srcBytes)
&& __isByteArray(dstBytes)
&& __bothSmallInteger(offset, count)) {
- if (__decodeLZW__(_ByteArrayInstPtr(srcBytes)->ba_element,
- _ByteArrayInstPtr(dstBytes)->ba_element
- + _intVal(offset) - 1,
- _intVal(count))) {
+ if (__decodeLZW__(__ByteArrayInstPtr(srcBytes)->ba_element,
+ __ByteArrayInstPtr(dstBytes)->ba_element
+ + __intVal(offset) - 1,
+ __intVal(count),
+ __byteArraySize(srcBytes),
+ __byteArraySize(dstBytes)
+ )) {
RETURN ( self );
}
}
@@ -1889,5 +1936,5 @@
!ImageReader class methodsFor:'documentation'!
version
- ^ '$Header: /cvs/stx/stx/libview/ImageReader.st,v 1.57 1998-01-16 15:09:34 cg Exp $'
+ ^ '$Header: /cvs/stx/stx/libview/ImageReader.st,v 1.58 1998-01-19 17:16:05 cg Exp $'
! !