diff --git a/DesktopEditor/common/File.cpp b/DesktopEditor/common/File.cpp index e0518f13da..eeebe8b305 100644 --- a/DesktopEditor/common/File.cpp +++ b/DesktopEditor/common/File.cpp @@ -159,60 +159,90 @@ namespace NSFile else if (0x00 == (byteMain & 0x20)) { // 2 byte - int val = (int)(((byteMain & 0x1F) << 6) | - (pBuffer[lIndex + 1] & 0x3F)); + int val = 0; + if ((lIndex + 1) < lCount) + { + val = (int)(((byteMain & 0x1F) << 6) | + (pBuffer[lIndex + 1] & 0x3F)); + } + pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 2; } else if (0x00 == (byteMain & 0x10)) { // 3 byte - int val = (int)(((byteMain & 0x0F) << 12) | - ((pBuffer[lIndex + 1] & 0x3F) << 6) | - (pBuffer[lIndex + 2] & 0x3F)); + int val = 0; + if ((lIndex + 2) < lCount) + { + val = (int)(((byteMain & 0x0F) << 12) | + ((pBuffer[lIndex + 1] & 0x3F) << 6) | + (pBuffer[lIndex + 2] & 0x3F)); + } + pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 3; } else if (0x00 == (byteMain & 0x0F)) { // 4 byte - int val = (int)(((byteMain & 0x07) << 18) | - ((pBuffer[lIndex + 1] & 0x3F) << 12) | - ((pBuffer[lIndex + 2] & 0x3F) << 6) | - (pBuffer[lIndex + 3] & 0x3F)); + int val = 0; + if ((lIndex + 3) < lCount) + { + val = (int)(((byteMain & 0x07) << 18) | + ((pBuffer[lIndex + 1] & 0x3F) << 12) | + ((pBuffer[lIndex + 2] & 0x3F) << 6) | + (pBuffer[lIndex + 3] & 0x3F)); + } + pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 4; } else if (0x00 == (byteMain & 0x08)) { // 4 byte - int val = (int)(((byteMain & 0x07) << 18) | - ((pBuffer[lIndex + 1] & 0x3F) << 12) | - ((pBuffer[lIndex + 2] & 0x3F) << 6) | - (pBuffer[lIndex + 3] & 0x3F)); + int val = 0; + if ((lIndex + 3) < lCount) + { + val = (int)(((byteMain & 0x07) << 18) | + ((pBuffer[lIndex + 1] & 0x3F) << 12) | + ((pBuffer[lIndex + 2] & 0x3F) << 6) | + (pBuffer[lIndex + 3] & 0x3F)); + } + pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 4; } else if (0x00 == (byteMain & 0x04)) { // 5 byte - int val = (int)(((byteMain & 0x03) << 24) | - ((pBuffer[lIndex + 1] & 0x3F) << 18) | - ((pBuffer[lIndex + 2] & 0x3F) << 12) | - ((pBuffer[lIndex + 3] & 0x3F) << 6) | - (pBuffer[lIndex + 4] & 0x3F)); + int val = 0; + if ((lIndex + 4) < lCount) + { + val = (int)(((byteMain & 0x03) << 24) | + ((pBuffer[lIndex + 1] & 0x3F) << 18) | + ((pBuffer[lIndex + 2] & 0x3F) << 12) | + ((pBuffer[lIndex + 3] & 0x3F) << 6) | + (pBuffer[lIndex + 4] & 0x3F)); + } + pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 5; } else { // 6 byte - int val = (int)(((byteMain & 0x01) << 30) | - ((pBuffer[lIndex + 1] & 0x3F) << 24) | - ((pBuffer[lIndex + 2] & 0x3F) << 18) | - ((pBuffer[lIndex + 3] & 0x3F) << 12) | - ((pBuffer[lIndex + 4] & 0x3F) << 6) | - (pBuffer[lIndex + 5] & 0x3F)); + int val = 0; + if ((lIndex + 5) < lCount) + { + val = (int)(((byteMain & 0x01) << 30) | + ((pBuffer[lIndex + 1] & 0x3F) << 24) | + ((pBuffer[lIndex + 2] & 0x3F) << 18) | + ((pBuffer[lIndex + 3] & 0x3F) << 12) | + ((pBuffer[lIndex + 4] & 0x3F) << 6) | + (pBuffer[lIndex + 5] & 0x3F)); + } + pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 5; } @@ -242,17 +272,26 @@ namespace NSFile else if (0x00 == (byteMain & 0x20)) { // 2 byte - int val = (int)(((byteMain & 0x1F) << 6) | - (pBuffer[lIndex + 1] & 0x3F)); + int val = 0; + if ((lIndex + 1) < lCount) + { + val = (int)(((byteMain & 0x1F) << 6) | + (pBuffer[lIndex + 1] & 0x3F)); + } + *pUnicodeString++ = (WCHAR)(val); lIndex += 2; } else if (0x00 == (byteMain & 0x10)) { // 3 byte - int val = (int)(((byteMain & 0x0F) << 12) | - ((pBuffer[lIndex + 1] & 0x3F) << 6) | - (pBuffer[lIndex + 2] & 0x3F)); + int val = 0; + if ((lIndex + 2) < lCount) + { + val = (int)(((byteMain & 0x0F) << 12) | + ((pBuffer[lIndex + 1] & 0x3F) << 6) | + (pBuffer[lIndex + 2] & 0x3F)); + } WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 3; @@ -260,10 +299,14 @@ namespace NSFile else if (0x00 == (byteMain & 0x0F)) { // 4 byte - int val = (int)(((byteMain & 0x07) << 18) | - ((pBuffer[lIndex + 1] & 0x3F) << 12) | - ((pBuffer[lIndex + 2] & 0x3F) << 6) | - (pBuffer[lIndex + 3] & 0x3F)); + int val = 0; + if ((lIndex + 3) < lCount) + { + val = (int)(((byteMain & 0x07) << 18) | + ((pBuffer[lIndex + 1] & 0x3F) << 12) | + ((pBuffer[lIndex + 2] & 0x3F) << 6) | + (pBuffer[lIndex + 3] & 0x3F)); + } WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 4; @@ -271,10 +314,14 @@ namespace NSFile else if (0x00 == (byteMain & 0x08)) { // 4 byte - int val = (int)(((byteMain & 0x07) << 18) | - ((pBuffer[lIndex + 1] & 0x3F) << 12) | - ((pBuffer[lIndex + 2] & 0x3F) << 6) | - (pBuffer[lIndex + 3] & 0x3F)); + int val = 0; + if ((lIndex + 3) < lCount) + { + val = (int)(((byteMain & 0x07) << 18) | + ((pBuffer[lIndex + 1] & 0x3F) << 12) | + ((pBuffer[lIndex + 2] & 0x3F) << 6) | + (pBuffer[lIndex + 3] & 0x3F)); + } WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 4; @@ -282,11 +329,15 @@ namespace NSFile else if (0x00 == (byteMain & 0x04)) { // 5 byte - int val = (int)(((byteMain & 0x03) << 24) | - ((pBuffer[lIndex + 1] & 0x3F) << 18) | - ((pBuffer[lIndex + 2] & 0x3F) << 12) | - ((pBuffer[lIndex + 3] & 0x3F) << 6) | - (pBuffer[lIndex + 4] & 0x3F)); + int val = 0; + if ((lIndex + 4) < lCount) + { + val = (int)(((byteMain & 0x03) << 24) | + ((pBuffer[lIndex + 1] & 0x3F) << 18) | + ((pBuffer[lIndex + 2] & 0x3F) << 12) | + ((pBuffer[lIndex + 3] & 0x3F) << 6) | + (pBuffer[lIndex + 4] & 0x3F)); + } WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 5; @@ -294,12 +345,16 @@ namespace NSFile else { // 6 byte - int val = (int)(((byteMain & 0x01) << 30) | - ((pBuffer[lIndex + 1] & 0x3F) << 24) | - ((pBuffer[lIndex + 2] & 0x3F) << 18) | - ((pBuffer[lIndex + 3] & 0x3F) << 12) | - ((pBuffer[lIndex + 4] & 0x3F) << 6) | - (pBuffer[lIndex + 5] & 0x3F)); + int val = 0; + if ((lIndex + 5) < lCount) + { + val = (int)(((byteMain & 0x01) << 30) | + ((pBuffer[lIndex + 1] & 0x3F) << 24) | + ((pBuffer[lIndex + 2] & 0x3F) << 18) | + ((pBuffer[lIndex + 3] & 0x3F) << 12) | + ((pBuffer[lIndex + 4] & 0x3F) << 6) | + (pBuffer[lIndex + 5] & 0x3F)); + } WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 5; diff --git a/DesktopEditor/cximage/CxImage/xfile.h b/DesktopEditor/cximage/CxImage/xfile.h index 78482cce45..1e84f1c156 100644 --- a/DesktopEditor/cximage/CxImage/xfile.h +++ b/DesktopEditor/cximage/CxImage/xfile.h @@ -49,11 +49,11 @@ class DLL_EXP CxFile { public: - CxFile(void) { }; - virtual ~CxFile() { }; + CxFile(void) { } + virtual ~CxFile() { } virtual bool Close() = 0; - virtual size_t Read(void *buffer, size_t size, size_t count) = 0; + virtual size_t Read(void *buffer, size_t size, size_t count, void* limit_start = NULL, void* limit_end = NULL) = 0; virtual size_t Write(const void *buffer, size_t size, size_t count) = 0; virtual bool Seek(int32_t offset, int32_t origin) = 0; virtual int32_t Tell() = 0; @@ -72,4 +72,27 @@ public: virtual int32_t Scanf(const char *format, void* output) = 0; }; +static void clamp_buffer(void*& buffer, size_t& size, void* limit_start, void* limit_end) +{ + if (NULL == limit_start || NULL == limit_end) + return; + + uint8_t* _buffer = (uint8_t*)buffer; + uint8_t* _limit_start = (uint8_t*)limit_start; + uint8_t* _limit_end = (uint8_t*)limit_end; + + if (_buffer > _limit_end) + { + buffer = limit_end; + size = 0; + return; + } + + if (_buffer < _limit_start) + _buffer = _limit_start; + + if ((_buffer + size) > _limit_end) + size = (_limit_end - _buffer); +} + #endif //__xfile_h diff --git a/DesktopEditor/cximage/CxImage/ximabmp.cpp b/DesktopEditor/cximage/CxImage/ximabmp.cpp index d03d97d78e..cd8b2743e7 100644 --- a/DesktopEditor/cximage/CxImage/ximabmp.cpp +++ b/DesktopEditor/cximage/CxImage/ximabmp.cpp @@ -133,7 +133,7 @@ bool CxImageBMP::Decode(CxFile * hFile) if (bIsOldBmp){ // convert a old color table (3 byte entries) to a new // color table (4 byte entries) - hFile->Read((void*)pRgb,DibNumColors(&bmpHeader) * sizeof(RGBTRIPLE),1); + hFile->Read((void*)pRgb,DibNumColors(&bmpHeader) * sizeof(RGBTRIPLE),1,GetDIB(),GetDIBLimit()); for (int32_t i=DibNumColors(&head)-1; i>=0; i--){ pRgb[i].rgbRed = ((RGBTRIPLE *)pRgb)[i].rgbtRed; pRgb[i].rgbBlue = ((RGBTRIPLE *)pRgb)[i].rgbtBlue; @@ -141,7 +141,7 @@ bool CxImageBMP::Decode(CxFile * hFile) pRgb[i].rgbReserved = (uint8_t)0; } } else { - hFile->Read((void*)pRgb,DibNumColors(&bmpHeader) * sizeof(RGBQUAD),1); + hFile->Read((void*)pRgb,DibNumColors(&bmpHeader) * sizeof(RGBQUAD),1,GetDIB(),GetDIBLimit()); //force rgbReserved=0, to avoid problems with some WinXp bitmaps for (uint32_t i=0; iRead(buff32, imagesize,1); // read in the pixels + hFile->Read(buff32, imagesize,1,GetDIB(),GetDIBLimit()); // read in the pixels #if CXIMAGE_SUPPORT_ALPHA if (dwCompression == BI_RGB){ @@ -195,7 +195,7 @@ bool CxImageBMP::Decode(CxFile * hFile) case 24 : if (bf.bfOffBits != 0L) hFile->Seek(off + bf.bfOffBits,SEEK_SET); if (dwCompression == BI_RGB){ - hFile->Read(info.pImage, head.biSizeImage,1); // read in the pixels + hFile->Read(info.pImage, head.biSizeImage,1,GetDIB(),GetDIBLimit()); // read in the pixels } else cx_throw("unknown compression"); break; case 16 : @@ -210,7 +210,7 @@ bool CxImageBMP::Decode(CxFile * hFile) // bf.bfOffBits required after the bitfield mask if (bf.bfOffBits != 0L) hFile->Seek(off + bf.bfOffBits,SEEK_SET); // read in the pixels - hFile->Read(info.pImage, head.biHeight*((head.biWidth+1)/2)*4,1); + hFile->Read(info.pImage, head.biHeight*((head.biWidth+1)/2)*4,1,GetDIB(),GetDIBLimit()); // transform into RGB Bitfield2RGB(info.pImage,bfmask[0],bfmask[1],bfmask[2],16); break; @@ -229,7 +229,7 @@ bool CxImageBMP::Decode(CxFile * hFile) } switch (dwCompression) { case BI_RGB : - hFile->Read(info.pImage, head.biSizeImage,1); // read in the pixels + hFile->Read(info.pImage, head.biSizeImage,1,GetDIB(),GetDIBLimit()); // read in the pixels break; case BI_RLE4 : { @@ -355,7 +355,7 @@ bool CxImageBMP::Decode(CxFile * hFile) break; } default : - hFile->Read((void *)(iter.GetRow(scanline) + bits), sizeof(uint8_t) * status_byte, 1); + hFile->Read((void *)(iter.GetRow(scanline) + bits), sizeof(uint8_t) * status_byte, 1,GetDIB(),GetDIBLimit()); // align run length to even number of bytes if ((status_byte & 1) == 1) hFile->Read(&second_byte, sizeof(uint8_t), 1); diff --git a/DesktopEditor/cximage/CxImage/ximage.cpp b/DesktopEditor/cximage/CxImage/ximage.cpp index 1e77cabff9..6d2315d51f 100644 --- a/DesktopEditor/cximage/CxImage/ximage.cpp +++ b/DesktopEditor/cximage/CxImage/ximage.cpp @@ -21,7 +21,7 @@ void CxImage::Startup(uint32_t imagetype) { //init pointers - pDib = pSelection = pAlpha = NULL; + pDib = pDibLimit = pSelection = pAlpha = NULL; ppLayers = ppFrames = NULL; //init structures memset(&head,0,sizeof(BITMAPINFOHEADER)); @@ -232,6 +232,7 @@ void* CxImage::Create(uint32_t dwWidth, uint32_t dwHeight, uint32_t wBpp, uint32 strcpy(info.szLastError,"CxImage::Create can't allocate memory"); return NULL; } + pDibLimit = (void*)((uint8_t*)pDib + GetSize()); //clear the palette RGBQUAD* pal=GetPalette(); @@ -278,9 +279,12 @@ uint8_t* CxImage::GetBits(uint32_t row) /** * \return the size in bytes of the internal pDib object */ -int32_t CxImage::GetSize() +uint32_t CxImage::GetSize() { - return head.biSize + head.biSizeImage + GetPaletteSize(); + uint64_t size64 = head.biSize + head.biSizeImage + GetPaletteSize(); + if (size64 > 0xFFFFFFFF) + return 0xFFFFFFFF; + return (uint32_t)size64; } //////////////////////////////////////////////////////////////////////////////// /** @@ -324,13 +328,14 @@ bool CxImage::Transfer(CxImage &from, bool bTransferFrames /*=true*/) memcpy(&info,&from.info,sizeof(CXIMAGEINFO)); pDib = from.pDib; + pDib = from.pDibLimit; pSelection = from.pSelection; pAlpha = from.pAlpha; ppLayers = from.ppLayers; memset(&from.head,0,sizeof(BITMAPINFOHEADER)); memset(&from.info,0,sizeof(CXIMAGEINFO)); - from.pDib = from.pSelection = from.pAlpha = NULL; + from.pDib = from.pDibLimit = from.pSelection = from.pAlpha = NULL; from.ppLayers = NULL; if (bTransferFrames){ @@ -352,6 +357,7 @@ void CxImage::Ghost(const CxImage *from) memcpy(&head,&from->head,sizeof(BITMAPINFOHEADER)); memcpy(&info,&from->info,sizeof(CXIMAGEINFO)); pDib = from->pDib; + pDibLimit = from->pDibLimit; pSelection = from->pSelection; pAlpha = from->pAlpha; ppLayers = from->ppLayers; diff --git a/DesktopEditor/cximage/CxImage/ximage.h b/DesktopEditor/cximage/CxImage/ximage.h index 61f8f4aa53..599ecf1af9 100644 --- a/DesktopEditor/cximage/CxImage/ximage.h +++ b/DesktopEditor/cximage/CxImage/ximage.h @@ -289,10 +289,11 @@ public: //@} /** \addtogroup Attributes */ //@{ - int32_t GetSize(); + uint32_t GetSize(); uint8_t* GetBits(uint32_t row = 0); uint8_t GetColorType(); void* GetDIB() const; + void* GetDIBLimit() const; uint32_t GetHeight() const; uint32_t GetWidth() const; uint32_t GetEffWidth() const; @@ -796,6 +797,8 @@ protected: void bihtoh(BITMAPINFOHEADER* bih); void* pDib; //contains the header, the palette, the pixels + void* pDibLimit; + BITMAPINFOHEADER head; //standard header CXIMAGEINFO info; //extended information uint8_t* pSelection; //selected region diff --git a/DesktopEditor/cximage/CxImage/ximaico.cpp b/DesktopEditor/cximage/CxImage/ximaico.cpp index 4fed96cdbc..c9f653a66f 100644 --- a/DesktopEditor/cximage/CxImage/ximaico.cpp +++ b/DesktopEditor/cximage/CxImage/ximaico.cpp @@ -95,9 +95,15 @@ bool CxImageICO::Decode(CxFile *hFile) // read the palette RGBQUAD pal[256]; if (bih.biClrUsed) - hFile->Read(pal,bih.biClrUsed*sizeof(RGBQUAD), 1); + { + DWORD _count = bih.biClrUsed; if (_count > 256) _count = 256; + hFile->Read(pal,_count*sizeof(RGBQUAD), 1); + } else - hFile->Read(pal,head.biClrUsed*sizeof(RGBQUAD), 1); + { + DWORD _count = head.biClrUsed; if (_count > 256) _count = 256; + hFile->Read(pal,_count*sizeof(RGBQUAD), 1); + } SetPalette(pal,head.biClrUsed); //palette assign diff --git a/DesktopEditor/cximage/CxImage/ximainfo.cpp b/DesktopEditor/cximage/CxImage/ximainfo.cpp index e3a278c0c0..9ebd904e89 100644 --- a/DesktopEditor/cximage/CxImage/ximainfo.cpp +++ b/DesktopEditor/cximage/CxImage/ximainfo.cpp @@ -181,6 +181,10 @@ void* CxImage::GetDIB() const { return pDib; } +void* CxImage::GetDIBLimit() const +{ + return pDibLimit; +} //////////////////////////////////////////////////////////////////////////////// uint32_t CxImage::GetHeight() const { diff --git a/DesktopEditor/cximage/CxImage/ximapcx.cpp b/DesktopEditor/cximage/CxImage/ximapcx.cpp index 0a96c33ab4..b233557e02 100644 --- a/DesktopEditor/cximage/CxImage/ximapcx.cpp +++ b/DesktopEditor/cximage/CxImage/ximapcx.cpp @@ -50,6 +50,9 @@ bool CxImagePCX::Decode(CxFile *hFile) info.xDPI = pcxHeader.Hres; info.yDPI = pcxHeader.Vres; + if (Width <= 0 || Height <= 0) + cx_throw("Error: Not a PCX file"); + if (info.nEscape == -1){ head.biWidth = Width; head.biHeight= Height; @@ -76,7 +79,11 @@ bool CxImagePCX::Decode(CxFile *hFile) //Read the image and check if it's ok nbytes = pcxHeader.BytesPerLine * pcxHeader.ColorPlanes * Height; + uint32_t pcximage_size = nbytes; lpHead1 = pcximage = (uint8_t*)malloc(nbytes); + if (!pcximage) + cx_throw("Cancelled"); + while (nbytes > 0){ if (hFile == NULL || hFile->Eof()) cx_throw("corrupted PCX"); @@ -119,6 +126,9 @@ bool CxImagePCX::Decode(CxFile *hFile) for (uint32_t idx=0; idx127) a-=256; if (b>127) b-=256; // lab to xyz diff --git a/DesktopEditor/cximage/CxImage/xiofile.h b/DesktopEditor/cximage/CxImage/xiofile.h index 8ab5f1bfaf..e6b8334c08 100644 --- a/DesktopEditor/cximage/CxImage/xiofile.h +++ b/DesktopEditor/cximage/CxImage/xiofile.h @@ -59,9 +59,10 @@ public: return (bool)(iErr==0); } ////////////////////////////////////////////////////////// - virtual size_t Read(void *buffer, size_t size, size_t count) + virtual size_t Read(void *buffer, size_t size, size_t count, void* limit_start = NULL, void* limit_end = NULL) { if (!m_fp) return 0; + clamp_buffer(buffer, size, limit_start, limit_end); return fread(buffer, size, count, m_fp); } ////////////////////////////////////////////////////////// diff --git a/DesktopEditor/cximage/CxImage/xmemfile.cpp b/DesktopEditor/cximage/CxImage/xmemfile.cpp index 42dfadef35..180184db22 100644 --- a/DesktopEditor/cximage/CxImage/xmemfile.cpp +++ b/DesktopEditor/cximage/CxImage/xmemfile.cpp @@ -45,7 +45,7 @@ uint8_t* CxMemFile::GetBuffer(bool bDetachBuffer) return m_pBuffer; } ////////////////////////////////////////////////////////// -size_t CxMemFile::Read(void *buffer, size_t size, size_t count) +size_t CxMemFile::Read(void *buffer, size_t size, size_t count, void* limit_start, void* limit_end) { if (buffer==NULL) return 0; @@ -53,7 +53,7 @@ size_t CxMemFile::Read(void *buffer, size_t size, size_t count) if (m_Position >= (int32_t)m_Size){ m_bEOF = true; return 0; - } + } int32_t nCount = (int32_t)(count*size); if (nCount == 0) return 0; diff --git a/DesktopEditor/cximage/CxImage/xmemfile.h b/DesktopEditor/cximage/CxImage/xmemfile.h index 71e00eb069..385d16b30e 100644 --- a/DesktopEditor/cximage/CxImage/xmemfile.h +++ b/DesktopEditor/cximage/CxImage/xmemfile.h @@ -14,7 +14,7 @@ public: uint8_t* GetBuffer(bool bDetachBuffer = true); virtual bool Close(); - virtual size_t Read(void *buffer, size_t size, size_t count); + virtual size_t Read(void *buffer, size_t size, size_t count, void* limit_start = NULL, void* limit_end = NULL); virtual size_t Write(const void *buffer, size_t size, size_t count); virtual bool Seek(int32_t offset, int32_t origin); virtual int32_t Tell(); diff --git a/DesktopEditor/cximage/jasper/jpc/jpc_dec.c b/DesktopEditor/cximage/jasper/jpc/jpc_dec.c index fa72a0e82c..df986bcc66 100644 --- a/DesktopEditor/cximage/jasper/jpc/jpc_dec.c +++ b/DesktopEditor/cximage/jasper/jpc/jpc_dec.c @@ -2171,7 +2171,12 @@ int jpc_ppxstab_insert(jpc_ppxstab_t *tab, jpc_ppxstabent_t *ent) int inspt; int i; - for (i = 0; i < tab->numents; ++i) { + // check on MAX_INT + int correct_num_ents = tab->numents; + if (correct_num_ents > 0x7FFFFFFE) + correct_num_ents = 0x7FFFFFFE; + + for (i = 0; i < correct_num_ents; ++i) { if (tab->ents[i]->ind > ent->ind) { break; } diff --git a/DesktopEditor/cximage/raw/libdcr.c b/DesktopEditor/cximage/raw/libdcr.c index e671e47c66..73f4ab3758 100644 --- a/DesktopEditor/cximage/raw/libdcr.c +++ b/DesktopEditor/cximage/raw/libdcr.c @@ -3518,20 +3518,21 @@ void DCR_CLASS dcr_cam_xyz_coeff (DCRAW* p, double cam_xyz[4][3]) { double cam_rgb[4][3], inverse[4][3], num; int i, j, k; - - for (i=0; i < p->colors; i++) /* Multiply out XYZ colorspace */ + int max_colors = p->colors; + if (max_colors > 4) max_colors = 4; + for (i=0; i < max_colors; i++) /* Multiply out XYZ colorspace */ for (j=0; j < 3; j++) for (cam_rgb[i][j] = k=0; k < 3; k++) cam_rgb[i][j] += cam_xyz[i][k] * xyz_rgb[k][j]; - for (i=0; i < p->colors; i++) { /* Normalize cam_rgb so that */ + for (i=0; i < max_colors; i++) { /* Normalize cam_rgb so that */ for (num=j=0; j < 3; j++) /* cam_rgb * (1,1,1) is (1,1,1,1) */ num += cam_rgb[i][j]; for (j=0; j < 3; j++) cam_rgb[i][j] /= num; p->pre_mul[i] = 1 / (float)num; } - dcr_pseudoinverse (cam_rgb, inverse, p->colors); + dcr_pseudoinverse (cam_rgb, inverse, max_colors); for (p->raw_color = i=0; i < 3; i++) for (j=0; j < p->colors; j++) p->rgb_cam[i][j] = (float)inverse[j][i]; @@ -5391,9 +5392,12 @@ void DCR_CLASS dcr_parse_tiff (DCRAW* p, int base) p->tiff_ifd[raw].phint == 1) p->is_raw = 0; if (p->tiff_bps == 8 && p->tiff_samples == 4) p->is_raw = 0; for (i=0; i < (int)p->tiff_nifds; i++) + { + int sqr_1 = SQR(p->tiff_ifd[i].bps+1); if (sqr_1 == 0) sqr_1 = 1; + int sqr_2 = SQR(p->thumb_misc+1); if (sqr_2 == 0) sqr_2 = 1; if (i != raw && p->tiff_ifd[i].samples == max_samp && - p->tiff_ifd[i].width * p->tiff_ifd[i].height / SQR(p->tiff_ifd[i].bps+1) > - (int)(p->thumb_width * p->thumb_height / SQR(p->thumb_misc+1))) { + p->tiff_ifd[i].width * p->tiff_ifd[i].height / sqr_1 > + (int)(p->thumb_width * p->thumb_height / sqr_2)) { p->thumb_width = p->tiff_ifd[i].width; p->thumb_height = p->tiff_ifd[i].height; p->thumb_offset = p->tiff_ifd[i].offset; @@ -5401,6 +5405,7 @@ void DCR_CLASS dcr_parse_tiff (DCRAW* p, int base) p->thumb_misc = p->tiff_ifd[i].bps; thm = i; } + } if (thm >= 0) { p->thumb_misc |= p->tiff_ifd[thm].samples << 5; switch (p->tiff_ifd[thm].comp) { @@ -5845,10 +5850,16 @@ void DCR_CLASS dcr_parse_riff(DCRAW* p) { "Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec" }; struct tm t; + if (dcr_feof(p->obj_)) + { + fprintf (stderr,_("Unexpected end of file\n")); + return; + } + p->order = 0x4949; dcr_fread(p->obj_, tag, 4, 1); size = dcr_get4(p); - end = dcr_ftell(p->obj_) + size; + end = dcr_ftell(p->obj_) + size; if (!memcmp(tag,"RIFF",4) || !memcmp(tag,"LIST",4)) { dcr_get4(p); while (dcr_ftell(p->obj_)+7 < (long)end) diff --git a/DesktopEditor/cximage/tiff/tif_dirread.c b/DesktopEditor/cximage/tiff/tif_dirread.c index 907b53188c..408b9980f4 100644 --- a/DesktopEditor/cximage/tiff/tif_dirread.c +++ b/DesktopEditor/cximage/tiff/tif_dirread.c @@ -205,7 +205,7 @@ TIFFReadDirectory(TIFF* tif) && fix < tif->tif_nfields) { if (fip->field_type == TIFF_ANY) /* wildcard */ break; - fip = tif->tif_fieldinfo[++fix]; + ++fix; fip = (fix >= tif->tif_nfields) ? 0 : tif->tif_fieldinfo[++fix]; if (fix >= tif->tif_nfields || fip->field_tag != dp->tdir_tag) { TIFFWarningExt(tif->tif_clientdata, module, @@ -333,7 +333,7 @@ TIFFReadDirectory(TIFF* tif) && fix < tif->tif_nfields) { if (fip->field_type == TIFF_ANY) /* wildcard */ break; - fip = tif->tif_fieldinfo[++fix]; + ++fix; fip = (fix >= tif->tif_nfields) ? 0 : tif->tif_fieldinfo[++fix]; if (fix >= tif->tif_nfields || fip->field_tag != dp->tdir_tag) { TIFFWarningExt(tif->tif_clientdata, module, @@ -887,7 +887,7 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff, && fix < tif->tif_nfields) { if (fip->field_type == TIFF_ANY) /* wildcard */ break; - fip = tif->tif_fieldinfo[++fix]; + ++fix; fip = (fix >= tif->tif_nfields) ? 0 : tif->tif_fieldinfo[++fix]; if (fix >= tif->tif_nfields || fip->field_tag != dp->tdir_tag) { TIFFWarningExt(tif->tif_clientdata, module, diff --git a/DesktopEditor/cximage/tiff/tif_ojpeg.c b/DesktopEditor/cximage/tiff/tif_ojpeg.c index 793de83616..dea897484f 100644 --- a/DesktopEditor/cximage/tiff/tif_ojpeg.c +++ b/DesktopEditor/cximage/tiff/tif_ojpeg.c @@ -1920,7 +1920,9 @@ OJPEGReadBufferFill(OJPEGState* sp) sp->in_buffer_file_pos=0; else { - sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; + sp->in_buffer_file_togo=0; + if (sp->tif->tif_dir.td_stripbytecount) + sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile]; if (sp->in_buffer_file_togo==0) sp->in_buffer_file_pos=0; else if (sp->in_buffer_file_pos+sp->in_buffer_file_togo>sp->file_size) diff --git a/DesktopEditor/fontengine/fontconverter/FontFileType1.cpp b/DesktopEditor/fontengine/fontconverter/FontFileType1.cpp index 2d9041677b..b2df678b14 100644 --- a/DesktopEditor/fontengine/fontconverter/FontFileType1.cpp +++ b/DesktopEditor/fontengine/fontconverter/FontFileType1.cpp @@ -633,13 +633,16 @@ namespace NSFontConverter // (пробел, таб, перенос каретки или перенос строки). unsigned char *sCur = (unsigned char*)(*ppEexecBuffer); while( sCur < (unsigned char*)(*ppEexecBuffer) + nLen && ( ' ' == *sCur || '\t' == *sCur || '\r' == *sCur || '\n' == *sCur ) ) + { ++sCur; + --nLen; + } // Теперь нам надо определить в каком формате у нас данные: ASKII или бинарные данные. // Если первые четыре байта являются шестнадцатиричными символами, значит, кодировка ASCII. bool bASCII = false; - if ( isxdigit( sCur[0] ) && isxdigit( sCur[1] ) && isxdigit( sCur[2] ) && isxdigit( sCur[3] ) ) + if ( nLen > 3 && isxdigit( sCur[0] ) && isxdigit( sCur[1] ) && isxdigit( sCur[2] ) && isxdigit( sCur[3] ) ) bASCII = true; if ( bASCII ) diff --git a/DesktopEditor/fontengine/fontconverter/FontFileType1.h b/DesktopEditor/fontengine/fontconverter/FontFileType1.h index 7f2aa71230..a126b91a15 100644 --- a/DesktopEditor/fontengine/fontconverter/FontFileType1.h +++ b/DesktopEditor/fontengine/fontconverter/FontFileType1.h @@ -259,6 +259,8 @@ namespace NSFontConverter } sBuffer[nBufPos++] = unChar; + if (nBufPos >= c_nNumLimit) + break; } if ( 0 != sBuffer[0] && nCount > 0 )