diff options
| author | Peter D'Hoye <peter.dhoye@gmail.com> | 2007-04-18 21:13:08 +0000 |
|---|---|---|
| committer | Peter D'Hoye <peter.dhoye@gmail.com> | 2007-04-18 21:13:08 +0000 |
| commit | 0b11d983e7da48f762b51234bc6d65f7a7428465 (patch) | |
| tree | 2cf6ee52d10a7059a100205858ba8f97899c8b0e /apps/plugins | |
| parent | b44b660ac477d5c9f42ccd2b03f5fcc90cab3240 (diff) | |
| download | rockbox-0b11d983e7da48f762b51234bc6d65f7a7428465.tar.gz rockbox-0b11d983e7da48f762b51234bc6d65f7a7428465.zip | |
Rockpaint plugin: protect against loading bitmaps that are too big. Fixes FS #7040
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@13204 a1c6a512-1295-4272-9138-f99709370657
Diffstat (limited to 'apps/plugins')
| -rw-r--r-- | apps/plugins/rockpaint.c | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/apps/plugins/rockpaint.c b/apps/plugins/rockpaint.c index 68a3e5f595..a15d7b1141 100644 --- a/apps/plugins/rockpaint.c +++ b/apps/plugins/rockpaint.c | |||
| @@ -2903,25 +2903,28 @@ static int load_bitmap( char *file ) | |||
| 2903 | { | 2903 | { |
| 2904 | struct bitmap bm; | 2904 | struct bitmap bm; |
| 2905 | bool ret; | 2905 | bool ret; |
| 2906 | int l; | ||
| 2907 | |||
| 2906 | bm.data = (char*)save_buffer; | 2908 | bm.data = (char*)save_buffer; |
| 2907 | ret = rb->read_bmp_file( file, &bm, ROWS*COLS*sizeof( fb_data ), | 2909 | ret = rb->read_bmp_file( file, &bm, ROWS*COLS*sizeof( fb_data ), |
| 2908 | FORMAT_NATIVE ); | 2910 | FORMAT_NATIVE ); |
| 2909 | if( bm.width < COLS ) | 2911 | |
| 2912 | if((bm.width > COLS ) || ( bm.height > ROWS )) | ||
| 2913 | return -1; | ||
| 2914 | |||
| 2915 | for( l = bm.height-1; l > 0; l-- ) | ||
| 2910 | { | 2916 | { |
| 2911 | int l; | 2917 | rb->memmove( save_buffer+l*COLS, save_buffer+l*bm.width, |
| 2912 | for( l = bm.height-1; l > 0; l-- ) | 2918 | sizeof( fb_data )*bm.width ); |
| 2913 | { | ||
| 2914 | rb->memmove( save_buffer+l*COLS, save_buffer+l*bm.width, | ||
| 2915 | sizeof( fb_data )*bm.width ); | ||
| 2916 | } | ||
| 2917 | for( l = 0; l < bm.height; l++ ) | ||
| 2918 | { | ||
| 2919 | rb->memset( save_buffer+l*COLS+bm.width, rp_colors[ bgdrawcolor ], | ||
| 2920 | sizeof( fb_data )*(COLS-bm.width) ); | ||
| 2921 | } | ||
| 2922 | rb->memset( save_buffer+COLS*bm.height, rp_colors[ bgdrawcolor ], | ||
| 2923 | sizeof( fb_data )*COLS*(ROWS-bm.height) ); | ||
| 2924 | } | 2919 | } |
| 2920 | for( l = 0; l < bm.height; l++ ) | ||
| 2921 | { | ||
| 2922 | rb->memset( save_buffer+l*COLS+bm.width, rp_colors[ bgdrawcolor ], | ||
| 2923 | sizeof( fb_data )*(COLS-bm.width) ); | ||
| 2924 | } | ||
| 2925 | rb->memset( save_buffer+COLS*bm.height, rp_colors[ bgdrawcolor ], | ||
| 2926 | sizeof( fb_data )*COLS*(ROWS-bm.height) ); | ||
| 2927 | |||
| 2925 | return ret; | 2928 | return ret; |
| 2926 | } | 2929 | } |
| 2927 | 2930 | ||
| @@ -2953,7 +2956,7 @@ enum plugin_status plugin_start(struct plugin_api* api, void* parameter) | |||
| 2953 | { | 2956 | { |
| 2954 | if( load_bitmap( parameter ) <= 0 ) | 2957 | if( load_bitmap( parameter ) <= 0 ) |
| 2955 | { | 2958 | { |
| 2956 | rb->splash( 1*HZ, "Error"); | 2959 | rb->splash( 1*HZ, "File Open Error"); |
| 2957 | clear_drawing(); | 2960 | clear_drawing(); |
| 2958 | } | 2961 | } |
| 2959 | else | 2962 | else |