IMG_gif.c
branchSDL-1.2
changeset 607 1a1189c2978f
parent 288 cbf4a9d168ff
child 678 776aa1fbe453
     1.1 --- a/IMG_gif.c	Tue Oct 16 10:50:15 2018 +0300
     1.2 +++ b/IMG_gif.c	Tue Oct 16 20:02:02 2018 +0300
     1.3 @@ -320,7 +320,7 @@
     1.4  	break;
     1.5      case 0xfe:			/* Comment Extension */
     1.6  	str = "Comment Extension";
     1.7 -	while (GetDataBlock(src, (unsigned char *) buf) != 0)
     1.8 +	while (GetDataBlock(src, (unsigned char *) buf) > 0)
     1.9  	    ;
    1.10  	return FALSE;
    1.11      case 0xf9:			/* Graphic Control Extension */
    1.12 @@ -332,7 +332,7 @@
    1.13  	if ((buf[0] & 0x1) != 0)
    1.14  	    Gif89.transparent = buf[3];
    1.15  
    1.16 -	while (GetDataBlock(src, (unsigned char *) buf) != 0)
    1.17 +	while (GetDataBlock(src, (unsigned char *) buf) > 0)
    1.18  	    ;
    1.19  	return FALSE;
    1.20      default:
    1.21 @@ -341,7 +341,7 @@
    1.22  	break;
    1.23      }
    1.24  
    1.25 -    while (GetDataBlock(src, (unsigned char *) buf) != 0)
    1.26 +    while (GetDataBlock(src, (unsigned char *) buf) > 0)
    1.27  	;
    1.28  
    1.29      return FALSE;
    1.30 @@ -390,7 +390,7 @@
    1.31  	buf[0] = buf[last_byte - 2];
    1.32  	buf[1] = buf[last_byte - 1];
    1.33  
    1.34 -	if ((count = GetDataBlock(src, &buf[2])) == 0)
    1.35 +	if ((count = GetDataBlock(src, &buf[2])) <= 0)
    1.36  	    done = TRUE;
    1.37  
    1.38  	last_byte = 2 + count;
    1.39 @@ -439,8 +439,9 @@
    1.40  	    table[0][i] = 0;
    1.41  	    table[1][i] = i;
    1.42  	}
    1.43 +	table[1][0] = 0;
    1.44  	for (; i < (1 << MAX_LWZ_BITS); ++i)
    1.45 -	    table[0][i] = table[1][0] = 0;
    1.46 +	    table[0][i] = 0;
    1.47  
    1.48  	sp = stack;
    1.49  
    1.50 @@ -493,12 +494,24 @@
    1.51  	    code = oldcode;
    1.52  	}
    1.53  	while (code >= clear_code) {
    1.54 +	    /* Guard against buffer overruns */
    1.55 +	    if (code < 0 || code >= (1 << MAX_LWZ_BITS)) {
    1.56 +		RWSetMsg("invalid LWZ data");
    1.57 +		return -3;
    1.58 +	    }
    1.59  	    *sp++ = table[1][code];
    1.60 -	    if (code == table[0][code])
    1.61 +	    if (code == table[0][code]) {
    1.62  		RWSetMsg("circular table entry BIG ERROR");
    1.63 +		return -3;
    1.64 +	    }
    1.65  	    code = table[0][code];
    1.66  	}
    1.67  
    1.68 +	/* Guard against buffer overruns */
    1.69 +	if (code < 0 || code >= (1 << MAX_LWZ_BITS)) {
    1.70 +	    RWSetMsg("invalid LWZ data");
    1.71 +	    return -4;
    1.72 +	}
    1.73  	*sp++ = firstcode = table[1][code];
    1.74  
    1.75  	if ((code = max_code) < (1 << MAX_LWZ_BITS)) {