Fixes to image processing.

[liblbx.git] / src / image.c

diff --git a/src/image.c b/src/image.c
index ba642d026b740d09b389b3eea195965da90acf3e..c1ad351983f8300e213946e1b8f941713cd83f0a 100644 (file)
--- a/src/image.c
+++ b/src/image.c
@@ -45,6 +45,15 @@ struct lbx_image *lbximg_fopen(FILE *f)
        tmp.frames = letohs(tmp.frames); tmp.foff += sizeof tmp.frames;
        tmp.wtf2   = letohs(tmp.wtf2);   tmp.foff += sizeof tmp.wtf2;
 
+       /* For some reason, the format seems to need this. */
+       tmp.offs++;
+       tmp.frames++;
+
+       if (tmp.offs <= tmp.frames) {
+               lbx_errno = LBX_EFORMAT;
+               return NULL;
+       }
+
        /*
         * DEBUG ONLY.  These assertions exist to catch otherwise valid image
         * files which differ from what I believe to be true of all LBX images.
@@ -100,14 +109,14 @@ static int _lbx_drawrow(int first, struct lbx_image *img)
        if (type == 0) {
                if (fread(&yval,  sizeof yval,  1, img->f) != 1) goto readerr;
                yval = letohs(yval); img->foff += sizeof yval;
-
                if (yval == 1000)
                        return 1;
-
                if (fread(&count, sizeof count, 1, img->f) != 1) goto readerr;
                count = letohs(count); img->foff += sizeof count;
                if (fread(&xval,  sizeof xval,  1, img->f) != 1) goto readerr;
                xval = letohs(xval); img->foff += sizeof xval;
+               if (xval == 1000)
+                       return 1;
 
                /* Ensure that the row fits in the image. */
                if (img->height - img->currenty <= yval || xval >= img->width) {
@@ -211,7 +220,7 @@ unsigned char **lbximg_getframe(struct lbx_image *img, int frame)
                                return NULL;
                        first = 0;
 
-                       if (img->foff > img->offsets[frame+1]) {
+                       if (!rc && img->foff > img->offsets[frame+1]) {
                                lbx_errno = LBX_EFORMAT;
                                return NULL;
                        }
@@ -272,6 +281,10 @@ lbximg_getpalette(struct lbx_image *img, struct lbx_colour palette[static 256])
 
                if (entry[0] == 0) {
                        index++;
+                       if (index >= 256) {
+                               lbx_errno = LBX_EFORMAT;
+                               return -1;
+                       }
                } else {
                        index = entry[0];
                }