Fixed crash in testpalette and potential crash in SDL_LoadBMP_RW()

libsdl-org · Dec 7, 2008 · 6e1928b · 6e1928b
1 parent f3fb5c0
commit 6e1928b
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
@@ -218,6 +218,20 @@ SDL_LoadBMP_RW(SDL_RWops * src, int freesrc)
         if (biClrUsed == 0) {
             biClrUsed = 1 << biBitCount;
         }
+        if (biClrUsed > palette->ncolors) {
+            palette->ncolors = biClrUsed;
+            palette->colors =
+                (SDL_Color *) SDL_realloc(palette->colors,
+                                          palette->ncolors *
+                                          sizeof(*palette->colors));
+            if (!palette->colors) {
+                SDL_OutOfMemory();
+                was_error = 1;
+                goto done;
+            }
+        } else if (biClrUsed < palette->ncolors) {
+            palette->ncolors = biClrUsed;
+        }
         if (biSize == 12) {
             for (i = 0; i < (int) biClrUsed; ++i) {
                 SDL_RWread(src, &palette->colors[i].b, 1, 1);

diff --git a/test/testpalette.c b/test/testpalette.c
@@ -189,6 +189,8 @@ main(int argc, char **argv)
     SDL_SetColorKey(boat[0], SDL_SRCCOLORKEY | SDL_RLEACCEL,
                     SDL_MapRGB(boat[0]->format, 0xff, 0x00, 0xff));
     boatcols = boat[0]->format->palette->ncolors;
+    if (boatcols >= 256)
+        sdlerr("too many colors in sail.bmp");
     boat[1] = hflip(boat[0]);
     SDL_SetColorKey(boat[1], SDL_SRCCOLORKEY | SDL_RLEACCEL,
                     SDL_MapRGB(boat[1]->format, 0xff, 0x00, 0xff));