Date: Mon, 04 Aug 2003 21:50:52 +0200

From: Holger Schemel Subject: [SDL] SDL_image PCX loader crashes (patch included) I've just discovered and fixed a problem with the current SDL_image 1.2.3 which can crash on every PCX file with an image width not being a multiple of 8 pixels if stored in bitplane format (with 4 or less bitplanes). In this case, the PCX loader happily writes beyond the allocated bitmap data buffer of the image surface in each line, which ends with a Segmentation Fault in the last line if you have bad luck and your allocated memory page ends near the last byte of the bitmap data. (In most cases you may have luck, which made this crash very difficult to track down in my case.) As this error is not fixed in the CVS yet, I've attached a patch to fix this bug (three lines in "IMG_pcx.c"). The fix prevents reading/writing the memory beyond the current line of the image being loaded. This was a particularly nasty error for me, because all my image files have a width which is a multiple of 8 or even 16/32, so the error never showed up, but some people creating custom artwork for my game Rocks'n'Diamonds created images less "perfect" ;-) and the game crashed on those image files only from time to time.
libsdl-org · Aug 6, 2003 · ad20478 · ad20478
1 parent 02d096a
commit ad20478
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,4 +1,6 @@
 1.2.4:
+Holger Schemel - Mon, 04 Aug 2003 21:50:52 +0200
+ * Fixed crash loading certain PCX images
 Kyle Davenport - Sat, 19 Apr 2003 17:13:31 -0500
  * Added .la files to the development RPM, fixing RPM build on RedHat 8
 

diff --git a/IMG_pcx.c b/IMG_pcx.c
@@ -175,6 +175,9 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *src)
 					Uint8 byte = *src++;
 					for(j = 7; j >= 0; j--) {
 						unsigned bit = (byte >> j) & 1;
+						/* skip padding bits */
+						if (i * 8 + j >= width)
+							continue;
 						row[x++] |= bit << plane;
 					}
 				}