Date: Mon, 04 Aug 2003 21:50:52 +0200
authorSam Lantinga <slouken@libsdl.org>
Wed, 06 Aug 2003 20:45:36 +0000
changeset 9126b6d4a09dfd
parent 90 a77224354608
child 92 907eda08da0a
Date: Mon, 04 Aug 2003 21:50:52 +0200
From: Holger Schemel
Subject: [SDL] SDL_image PCX loader crashes (patch included)

I've just discovered and fixed a problem with the current
SDL_image 1.2.3 which can crash on every PCX file with an
image width not being a multiple of 8 pixels if stored in
bitplane format (with 4 or less bitplanes).

In this case, the PCX loader happily writes beyond the
allocated bitmap data buffer of the image surface in each
line, which ends with a Segmentation Fault in the last
line if you have bad luck and your allocated memory page
ends near the last byte of the bitmap data. (In most cases
you may have luck, which made this crash very difficult to
track down in my case.)

As this error is not fixed in the CVS yet, I've attached a
patch to fix this bug (three lines in "IMG_pcx.c"). The fix
prevents reading/writing the memory beyond the current line
of the image being loaded.

This was a particularly nasty error for me, because all my
image files have a width which is a multiple of 8 or even
16/32, so the error never showed up, but some people creating
custom artwork for my game Rocks'n'Diamonds created images
less "perfect" ;-) and the game crashed on those image files
only from time to time.
CHANGES
IMG_pcx.c
     1.1 --- a/CHANGES	Wed Jul 23 05:16:16 2003 +0000
     1.2 +++ b/CHANGES	Wed Aug 06 20:45:36 2003 +0000
     1.3 @@ -1,4 +1,6 @@
     1.4  1.2.4:
     1.5 +Holger Schemel - Mon, 04 Aug 2003 21:50:52 +0200
     1.6 + * Fixed crash loading certain PCX images
     1.7  Kyle Davenport - Sat, 19 Apr 2003 17:13:31 -0500
     1.8   * Added .la files to the development RPM, fixing RPM build on RedHat 8
     1.9  
     2.1 --- a/IMG_pcx.c	Wed Jul 23 05:16:16 2003 +0000
     2.2 +++ b/IMG_pcx.c	Wed Aug 06 20:45:36 2003 +0000
     2.3 @@ -175,6 +175,9 @@
     2.4  					Uint8 byte = *src++;
     2.5  					for(j = 7; j >= 0; j--) {
     2.6  						unsigned bit = (byte >> j) & 1;
     2.7 +						/* skip padding bits */
     2.8 +						if (i * 8 + j >= width)
     2.9 +							continue;
    2.10  						row[x++] |= bit << plane;
    2.11  					}
    2.12  				}