From dc8debc104f50291a33fed4c4bf0abcf82cdf55f Mon Sep 17 00:00:00 2001
From: Sam Lantinga <slouken@libsdl.org>
Date: Sun, 2 Nov 2008 23:13:00 +0000
Subject: [PATCH] Fixed buffer overflow in BMP loading code, discovered by
 j00ru//vx

---
 CHANGES   |  2 ++
 IMG_bmp.c | 22 ++++++++++++++--------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index f6ee3d68..af873798 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,6 @@
 1.2.7:
+Sam Lantinga - Sun Nov  2 15:08:27 PST 2008
+ * Fixed buffer overflow in BMP loading code, discovered by j00ru//vx
 Sam Lantinga - Fri Dec 28 08:34:54 PST 2007
  * Fixed buffer overflow in GIF loading code, discovered by Michael Skladnikiewicz
 
diff --git a/IMG_bmp.c b/IMG_bmp.c
index b7bf9684..42ae8fb7 100644
--- a/IMG_bmp.c
+++ b/IMG_bmp.c
@@ -68,11 +68,15 @@ static int readRlePixels(SDL_Surface * surface, SDL_RWops * src, int isRle8)
 	*/
 	int pitch = surface->pitch;
 	int height = surface->h;
-	Uint8 * bits = (Uint8 *)surface->pixels + ((height-1) * pitch);
+	Uint8 *start = (Uint8 *)surface->pixels;
+	Uint8 *end = start + (height*pitch);
+	Uint8 *bits = end-pitch, *spot;
 	int ofs = 0;
 	Uint8 ch;
 	Uint8 needsPad;
 
+#define COPY_PIXEL(x)	spot = &bits[ofs++]; if(spot >= start && spot < end) *spot = (x)
+
 	for (;;) {
 		if ( !SDL_RWread(src, &ch, 1, 1) ) return 1;
 		/*
@@ -84,15 +88,15 @@ static int readRlePixels(SDL_Surface * surface, SDL_RWops * src, int isRle8)
 			if ( !SDL_RWread(src, &pixel, 1, 1) ) return 1;
 			if ( isRle8 ) {                 /* 256-color bitmap, compressed */
 				do {
-					bits[ofs++] = pixel;
+					COPY_PIXEL(pixel);
 				} while (--ch);
-			}else {                         /* 16-color bitmap, compressed */
+			} else {                         /* 16-color bitmap, compressed */
 				Uint8 pixel0 = pixel >> 4;
 				Uint8 pixel1 = pixel & 0x0F;
 				for (;;) {
-					bits[ofs++] = pixel0;     /* even count, high nibble */
+					COPY_PIXEL(pixel0);	/* even count, high nibble */
 					if (!--ch) break;
-					bits[ofs++] = pixel1;     /* odd count, low nibble */
+					COPY_PIXEL(pixel1);	/* odd count, low nibble */
 					if (!--ch) break;
 				}
 			}
@@ -120,16 +124,18 @@ static int readRlePixels(SDL_Surface * surface, SDL_RWops * src, int isRle8)
 				if (isRle8) {
 					needsPad = ( ch & 1 );
 					do {
-						if ( !SDL_RWread(src, bits + ofs++, 1, 1) ) return 1;
+						Uint8 pixel;
+						if ( !SDL_RWread(src, &pixel, 1, 1) ) return 1;
+						COPY_PIXEL(pixel);
 					} while (--ch);
 				} else {
 					needsPad = ( ((ch+1)>>1) & 1 ); /* (ch+1)>>1: bytes size */
 					for (;;) {
 						Uint8 pixel;
 						if ( !SDL_RWread(src, &pixel, 1, 1) ) return 1;
-						bits[ofs++] = pixel >> 4;
+						COPY_PIXEL(pixel >> 4);
 						if (!--ch) break;
-						bits[ofs++] = pixel & 0x0F;
+						COPY_PIXEL(pixel & 0x0F);
 						if (!--ch) break;
 					}
 				}