fix crash when reading malformed PCX images (#3836)

git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/branches/WX_2_8_BRANCH@54766 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775

docs/changes.txt

@@ -106,6 +106,7 @@ All (GUI):
 - Fix changing size of merged cells in wxGrid (Laurent Humbertclaude).
 - Fixed wrapping bug in wxRichTextCtrl when there were images present;
   now sets the cursor to the next line after pressing Shift+Enter.
+- Fix crash when reading malformed PCX images.
 
 All (Unix):
 

src/common/imagpcx.cpp

@@ -87,17 +87,15 @@ void RLEencode(unsigned char *p, unsigned int size, wxOutputStream& s)
 
 void RLEdecode(unsigned char *p, unsigned int size, wxInputStream& s)
 {
-    unsigned int i, data, cont;
-
     // Read 'size' bytes. The PCX official specs say there will be
     // a decoding break at the end of each scanline (but not at the
     // end of each plane inside a scanline). Only use this function
     // to read one or more _complete_ scanlines. Else, more than
     // 'size' bytes might be read and the buffer might overflow.
 
-    while (size > 0)
+    while (size != 0)
     {
-        data = (unsigned char)s.GetC();
+        unsigned int data = (unsigned char)s.GetC();
 
         // If ((data & 0xC0) != 0xC0), then the value read is a data
         // byte. Else, it is a counter (cont = val & 0x3F) and the
@@ -110,9 +108,11 @@ void RLEdecode(unsigned char *p, unsigned int size, wxInputStream& s)
         }
         else
         {
-            cont = data & 0x3F;
+            unsigned int cont = data & 0x3F;
+            if (cont > size) // can happen only if the file is malformed
+                break;
             data = (unsigned char)s.GetC();
-            for (i = 1; i <= cont; i++)
+            for (unsigned int i = 1; i <= cont; i++)
                 *(p++) = (unsigned char)data;
             size -= cont;
         }