iffview: ILBM body decompression fixed

Boundary check for destination buffer added to avoid the buffer overrun, also added handling for the -128 NOP
2016-02-18 20:34:20 -08:00 · 2016-02-18 20:34:20 -08:00 · f780a9f257
parent b4ed097fad
commit f780a9f257
1 changed files with 23 additions and 7 deletions
--- a/iffview/ilbm.c
+++ b/iffview/ilbm.c
@ -114,17 +114,33 @@ UBYTE *read_BODY(FILE *fp, int datasize, BitMapHeader *bmheader, int *data_bytes
  if (bmheader->compression == cmpByteRun1) {
    BYTE b0, b1;
    int i;
+
    /* decompress data */
    dst_buffer = malloc(dst_size);
    *data_bytes = dst_size;
+    // we have to check overrun in dst_buffer, too. This actually can happen !!
    while (src_i < datasize) {
-      b0 = buffer[src_i++];
-      if (b0 >= 0) {
-        for (i = 0; i < b0 + 1; i++) dst_buffer[dst_i++] = buffer[src_i++];
-      } else {
-        b1 = buffer[src_i++];
-        for (i = 0; i < -b0 + 1; i++) dst_buffer[dst_i++] = b1;
-      }
+        if (dst_i >= dst_size) break;
+        b0 = buffer[src_i++];
+        if (b0 >= 0) {
+            for (i = 0; i < b0 + 1; i++) {
+                if (dst_i >= dst_size) {
+                    puts("WARNING: buffer overrun (decompress: in direct copy)");
+                    break;
+                }
+                dst_buffer[dst_i++] = buffer[src_i++];
+            }
+        } else if (b0 != -128) {
+            b1 = buffer[src_i++];
+            for (i = 0; i < -b0 + 1; i++) {
+                if (dst_i >= dst_size) {
+                    printf("WARNING: buffer overrun (in decompress), b0=%d\n", (int) b0);
+                    break;
+                }
+                dst_buffer[dst_i++] = b1;
+            }
+        }
+        // -128 is a NOP
    }
    free(buffer);
    return dst_buffer;