From 23512f453f792d0adeef519ce6c36811d1fdbd4a Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Tue, 22 Jul 2008 20:16:03 +0000
Subject: [PATCH] fix crash when reading malformed PCX images (#3836)

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/branches/WX_2_8_BRANCH@54766 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
---
 docs/changes.txt       |  1 +
 src/common/imagpcx.cpp | 12 ++++++------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/docs/changes.txt b/docs/changes.txt
index d85e76f38e..e79af8f66c 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -106,6 +106,7 @@ All (GUI):
 - Fix changing size of merged cells in wxGrid (Laurent Humbertclaude).
 - Fixed wrapping bug in wxRichTextCtrl when there were images present;
   now sets the cursor to the next line after pressing Shift+Enter.
+- Fix crash when reading malformed PCX images.
 
 All (Unix):
 
diff --git a/src/common/imagpcx.cpp b/src/common/imagpcx.cpp
index 69b04d1ea7..05f1d66a5e 100644
--- a/src/common/imagpcx.cpp
+++ b/src/common/imagpcx.cpp
@@ -87,17 +87,15 @@ void RLEencode(unsigned char *p, unsigned int size, wxOutputStream& s)
 
 void RLEdecode(unsigned char *p, unsigned int size, wxInputStream& s)
 {
-    unsigned int i, data, cont;
-
     // Read 'size' bytes. The PCX official specs say there will be
     // a decoding break at the end of each scanline (but not at the
     // end of each plane inside a scanline). Only use this function
     // to read one or more _complete_ scanlines. Else, more than
     // 'size' bytes might be read and the buffer might overflow.
 
-    while (size > 0)
+    while (size != 0)
     {
-        data = (unsigned char)s.GetC();
+        unsigned int data = (unsigned char)s.GetC();
 
         // If ((data & 0xC0) != 0xC0), then the value read is a data
         // byte. Else, it is a counter (cont = val & 0x3F) and the
@@ -110,9 +108,11 @@ void RLEdecode(unsigned char *p, unsigned int size, wxInputStream& s)
         }
         else
         {
-            cont = data & 0x3F;
+            unsigned int cont = data & 0x3F;
+            if (cont > size) // can happen only if the file is malformed
+                break;
             data = (unsigned char)s.GetC();
-            for (i = 1; i <= cont; i++)
+            for (unsigned int i = 1; i <= cont; i++)
                 *(p++) = (unsigned char)data;
             size -= cont;
         }