diff options
author | Peter D'Hoye <peter.dhoye@gmail.com> | 2007-04-18 21:13:08 +0000 |
---|---|---|
committer | Peter D'Hoye <peter.dhoye@gmail.com> | 2007-04-18 21:13:08 +0000 |
commit | 0b11d983e7da48f762b51234bc6d65f7a7428465 (patch) | |
tree | 2cf6ee52d10a7059a100205858ba8f97899c8b0e /apps | |
parent | b44b660ac477d5c9f42ccd2b03f5fcc90cab3240 (diff) | |
download | rockbox-0b11d983e7da48f762b51234bc6d65f7a7428465.tar.gz rockbox-0b11d983e7da48f762b51234bc6d65f7a7428465.zip |
Rockpaint plugin: protect against loading bitmaps that are too big. Fixes FS #7040
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@13204 a1c6a512-1295-4272-9138-f99709370657
Diffstat (limited to 'apps')
-rw-r--r-- | apps/plugins/rockpaint.c | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/apps/plugins/rockpaint.c b/apps/plugins/rockpaint.c index 68a3e5f595..a15d7b1141 100644 --- a/apps/plugins/rockpaint.c +++ b/apps/plugins/rockpaint.c | |||
@@ -2903,25 +2903,28 @@ static int load_bitmap( char *file ) | |||
2903 | { | 2903 | { |
2904 | struct bitmap bm; | 2904 | struct bitmap bm; |
2905 | bool ret; | 2905 | bool ret; |
2906 | int l; | ||
2907 | |||
2906 | bm.data = (char*)save_buffer; | 2908 | bm.data = (char*)save_buffer; |
2907 | ret = rb->read_bmp_file( file, &bm, ROWS*COLS*sizeof( fb_data ), | 2909 | ret = rb->read_bmp_file( file, &bm, ROWS*COLS*sizeof( fb_data ), |
2908 | FORMAT_NATIVE ); | 2910 | FORMAT_NATIVE ); |
2909 | if( bm.width < COLS ) | 2911 | |
2912 | if((bm.width > COLS ) || ( bm.height > ROWS )) | ||
2913 | return -1; | ||
2914 | |||
2915 | for( l = bm.height-1; l > 0; l-- ) | ||
2910 | { | 2916 | { |
2911 | int l; | 2917 | rb->memmove( save_buffer+l*COLS, save_buffer+l*bm.width, |
2912 | for( l = bm.height-1; l > 0; l-- ) | 2918 | sizeof( fb_data )*bm.width ); |
2913 | { | ||
2914 | rb->memmove( save_buffer+l*COLS, save_buffer+l*bm.width, | ||
2915 | sizeof( fb_data )*bm.width ); | ||
2916 | } | ||
2917 | for( l = 0; l < bm.height; l++ ) | ||
2918 | { | ||
2919 | rb->memset( save_buffer+l*COLS+bm.width, rp_colors[ bgdrawcolor ], | ||
2920 | sizeof( fb_data )*(COLS-bm.width) ); | ||
2921 | } | ||
2922 | rb->memset( save_buffer+COLS*bm.height, rp_colors[ bgdrawcolor ], | ||
2923 | sizeof( fb_data )*COLS*(ROWS-bm.height) ); | ||
2924 | } | 2919 | } |
2920 | for( l = 0; l < bm.height; l++ ) | ||
2921 | { | ||
2922 | rb->memset( save_buffer+l*COLS+bm.width, rp_colors[ bgdrawcolor ], | ||
2923 | sizeof( fb_data )*(COLS-bm.width) ); | ||
2924 | } | ||
2925 | rb->memset( save_buffer+COLS*bm.height, rp_colors[ bgdrawcolor ], | ||
2926 | sizeof( fb_data )*COLS*(ROWS-bm.height) ); | ||
2927 | |||
2925 | return ret; | 2928 | return ret; |
2926 | } | 2929 | } |
2927 | 2930 | ||
@@ -2953,7 +2956,7 @@ enum plugin_status plugin_start(struct plugin_api* api, void* parameter) | |||
2953 | { | 2956 | { |
2954 | if( load_bitmap( parameter ) <= 0 ) | 2957 | if( load_bitmap( parameter ) <= 0 ) |
2955 | { | 2958 | { |
2956 | rb->splash( 1*HZ, "Error"); | 2959 | rb->splash( 1*HZ, "File Open Error"); |
2957 | clear_drawing(); | 2960 | clear_drawing(); |
2958 | } | 2961 | } |
2959 | else | 2962 | else |