From 6e1928bfab92a743283170e5c7b96d2ecd0eac74 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <slouken@libsdl.org>
Date: Sun, 7 Dec 2008 22:25:16 +0000
Subject: [PATCH] Fixed crash in testpalette and potential crash in
 SDL_LoadBMP_RW()

---
 src/video/SDL_bmp.c | 14 ++++++++++++++
 test/testpalette.c  |  2 ++
 2 files changed, 16 insertions(+)

diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 2ddf8f85b..66c5018cb 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -218,6 +218,20 @@ SDL_LoadBMP_RW(SDL_RWops * src, int freesrc)
         if (biClrUsed == 0) {
             biClrUsed = 1 << biBitCount;
         }
+        if (biClrUsed > palette->ncolors) {
+            palette->ncolors = biClrUsed;
+            palette->colors =
+                (SDL_Color *) SDL_realloc(palette->colors,
+                                          palette->ncolors *
+                                          sizeof(*palette->colors));
+            if (!palette->colors) {
+                SDL_OutOfMemory();
+                was_error = 1;
+                goto done;
+            }
+        } else if (biClrUsed < palette->ncolors) {
+            palette->ncolors = biClrUsed;
+        }
         if (biSize == 12) {
             for (i = 0; i < (int) biClrUsed; ++i) {
                 SDL_RWread(src, &palette->colors[i].b, 1, 1);
diff --git a/test/testpalette.c b/test/testpalette.c
index 8fd84be03..39040e46e 100644
--- a/test/testpalette.c
+++ b/test/testpalette.c
@@ -189,6 +189,8 @@ main(int argc, char **argv)
     SDL_SetColorKey(boat[0], SDL_SRCCOLORKEY | SDL_RLEACCEL,
                     SDL_MapRGB(boat[0]->format, 0xff, 0x00, 0xff));
     boatcols = boat[0]->format->palette->ncolors;
+    if (boatcols >= 256)
+        sdlerr("too many colors in sail.bmp");
     boat[1] = hflip(boat[0]);
     SDL_SetColorKey(boat[1], SDL_SRCCOLORKEY | SDL_RLEACCEL,
                     SDL_MapRGB(boat[1]->format, 0xff, 0x00, 0xff));