From 99c0978faa94b0e2fabe5d06000a10c8d48e7a0c Mon Sep 17 00:00:00 2001
From: Dave Chapman <dave@dchapman.com>
Date: Mon, 24 Mar 2008 00:03:05 +0000
Subject: Add a sanity-check to ensure only in-range subimages are referenced
 in %xd tags.  Plus some tab policing.

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@16774 a1c6a512-1295-4272-9138-f99709370657
---
 apps/gui/wps_parser.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'apps')

diff --git a/apps/gui/wps_parser.c b/apps/gui/wps_parser.c
index d5e29f3a4f..9327e89859 100644
--- a/apps/gui/wps_parser.c
+++ b/apps/gui/wps_parser.c
@@ -443,6 +443,10 @@ static int parse_image_display(const char *wps_bufptr,
 
     if ((subimage = get_image_id(wps_bufptr[1])) != -1)
     {
+        /* Sanity check */
+        if (subimage >= wps_data->img[n].num_subimages)
+            return WPS_ERROR_INVALID_PARAM;
+
         /* Store sub-image number to display in high bits */
         token->value.i = n | (subimage << 8);
         return 2; /* We have consumed 2 bytes */
@@ -1382,7 +1386,7 @@ static void load_wps_bitmaps(struct wps_data *wps_data, char *bmpdir)
                 *loaded = true;
 
                 /* Calculate and store height if this image has sub-images */
-		if (n < MAX_IMAGES)
+                if (n < MAX_IMAGES)
                     wps_data->img[n].subimage_height = wps_data->img[n].bm.height /
                                                        wps_data->img[n].num_subimages;
             }
-- 
cgit v1.2.3