From aec8983819fa0cd23ce251f91305a8c2cb4450dc Mon Sep 17 00:00:00 2001 From: Ben Wiederhake Date: Wed, 2 Dec 2020 20:13:29 +0100 Subject: [PATCH] LibGfx: Accept BMP RLE of 255 repeated bytes Previously, in the case of RLE4, parsing took suspiciously long. What happened was that 'pixel_count' was 255, and 'i' was incremented by *two* in each iteration, so the for-loop continued until the entire output buffer was full, and then rejected the RLE data as bogus. This little diff allows pixel_count to reach 256, be greater than pixel_count, and thus terminate the loop in the intended way. --- Libraries/LibGfx/BMPLoader.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Libraries/LibGfx/BMPLoader.cpp b/Libraries/LibGfx/BMPLoader.cpp index 824203f9be..84d7d32ea6 100644 --- a/Libraries/LibGfx/BMPLoader.cpp +++ b/Libraries/LibGfx/BMPLoader.cpp @@ -1059,7 +1059,7 @@ static bool uncompress_bmp_rle_data(BMPLoadingContext& context, ByteBuffer& buff if (!result.has_value()) return false; byte = result.value(); - for (u8 i = 0; i < pixel_count; ++i) { + for (u16 i = 0; i < pixel_count; ++i) { if (compression != Compression::RLE4) { if (!set_byte(byte, true)) return false;