Author: post
Date: 2009-12-21 21:37:44 +0100 (Mon, 21 Dec 2009)
New Revision: 181
Modified:
RawSpeed/Cr2Decoder.cpp
RawSpeed/LJpegDecompressor.cpp
RawSpeed/LJpegPlain.cpp
RawSpeed/OrfDecoder.cpp
Log:
More checks to avoid potential crashes.
Modified: RawSpeed/Cr2Decoder.cpp
===================================================================
--- RawSpeed/Cr2Decoder.cpp 2009-12-20 21:28:39 UTC (rev 180)
+++ RawSpeed/Cr2Decoder.cpp 2009-12-21 20:37:44 UTC (rev 181)
@@ -121,6 +121,7 @@
errors.push_back(_strdup(e.what()));
} catch (IOException e) {
// Let's try to ignore this - it might be truncated data, so something
might be useful.
+ errors.push_back(_strdup(e.what()));
}
offY += slice.w;
}
Modified: RawSpeed/LJpegDecompressor.cpp
===================================================================
--- RawSpeed/LJpegDecompressor.cpp 2009-12-20 21:28:39 UTC (rev 180)
+++ RawSpeed/LJpegDecompressor.cpp 2009-12-21 20:37:44 UTC (rev 181)
@@ -289,6 +289,9 @@
guint acc = 0;
HuffmanTable* t = &huff[Th];
+ if (t->initialized)
+ ThrowRDE("LJpegDecompressor::parseDHT: Duplicate table definition");
+
for (guint i = 0; i < 16 ;i++) {
t->bits[i+1] = input->getByte();
acc += t->bits[i+1];
@@ -345,8 +348,11 @@
*/
p = 0;
for (l = 1; l <= 16; l++) {
- for (i = 1; i <= (int)htbl->bits[l]; i++)
+ for (i = 1; i <= (int)htbl->bits[l]; i++) {
huffsize[p++] = (gchar)l;
+ if (p > 256)
+ ThrowRDE("LJpegDecompressor::createHuffmanTable: Code length too long.
Corrupt data.");
+ }
}
huffsize[p] = 0;
lastp = p;
@@ -366,6 +372,8 @@
}
code <<= 1;
si++;
+ if (p > 256)
+ ThrowRDE("createHuffmanTable: Code length too long. Corrupt data.");
}
@@ -385,6 +393,8 @@
htbl->valptr[l] = 0xff; // This check must be present to avoid crash
on junk
htbl->maxcode[l] = -1;
}
+ if (p > 256)
+ ThrowRDE("createHuffmanTable: Code length too long. Corrupt data.");
}
/*
@@ -411,10 +421,8 @@
} else {
ul = ll;
}
- _ASSERTE(ll >= 0 && ul >= 0);
- _ASSERTE(ll < 256 && ul < 256);
- _ASSERTE(ll <= ul);
- _ASSERTE(size <= 8);
+ if (ul > 256 || ll > ul)
+ ThrowRDE("createHuffmanTable: Code length too long. Corrupt data.");
for (i = ll; i <= ul; i++) {
htbl->numbits[i] = size | (value << 4);
}
Modified: RawSpeed/LJpegPlain.cpp
===================================================================
--- RawSpeed/LJpegPlain.cpp 2009-12-20 21:28:39 UTC (rev 180)
+++ RawSpeed/LJpegPlain.cpp 2009-12-21 20:37:44 UTC (rev 181)
@@ -49,6 +49,9 @@
if (slicesW.empty())
slicesW.push_back(frame.w*frame.cps);
+ if ( 0 == frame.h || 0 == frame.w)
+ ThrowRDE("LJpegPlain::decodeScan: Image width or height set to zero");
+
for (guint i = 0; i < frame.cps; i++) {
if (frame.compInfo[i].superH != 1 || frame.compInfo[i].superV != 1) {
if (mRaw->isCFA)
Modified: RawSpeed/OrfDecoder.cpp
===================================================================
--- RawSpeed/OrfDecoder.cpp 2009-12-20 21:28:39 UTC (rev 180)
+++ RawSpeed/OrfDecoder.cpp 2009-12-21 20:37:44 UTC (rev 181)
@@ -175,7 +175,7 @@
wo0 = dest[x];
nw0 = n;
}
- _ASSERTE(0 == dest[x] >> 12) ;
+// _ASSERTE(0 == dest[x] >> 12) ;
// ODD PIXELS
x += 1;
@@ -226,7 +226,7 @@
wo1 = dest[x];
nw1 = n;
}
- _ASSERTE(0 == dest[x] >> 12) ;
+// _ASSERTE(0 == dest[x] >> 12) ;
}
}
}
_______________________________________________
Rawstudio-commit mailing list
[email protected]
http://rawstudio.org/cgi-bin/mailman/listinfo/rawstudio-commit
