Skip to content

Commit

Permalink
RMF: prevent out-of-bounds read
Browse files Browse the repository at this point in the history 
git-svn-id: https://svn.osgeo.org/gdal/trunk@32862 f0d54148-0727-0410-94bb-9a71ac55c965
  • Loading branch information
@rouault
rouault committed Jan 8, 2016
1 parent 0a051e6 commit eab1b03
Showing 1 changed file with 15 additions and 9 deletions.
24 changes: 15 additions & 9 deletions gdal/frmts/rmf/rmfdem.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ int RMFDataset::DEMDecompress( const GByte* pabyIn, GUInt32 nSizeIn,
paiOut = (GInt32*)pabyOut;
nSizeOut /= sizeof(GInt32);

while ( nSizeIn >= 2 )
while ( nSizeIn > 0 )
{
// Read number of codes in the record and encoding type
nCount = *pabyTempIn & 0x1F;
Expand Down Expand Up @@ -155,11 +155,11 @@ int RMFDataset::DEMDecompress( const GByte* pabyIn, GUInt32 nSizeIn,
break;

case TYPE_INT4:
if ( nSizeIn < nCount / 2 )
if ( nSizeIn < (nCount + 1) / 2 )
break;
if ( nSizeOut < nCount )
break;
nSizeIn -= nCount / 2;
nSizeIn -= (nCount + 1) / 2;
nSizeOut -= nCount;
while ( nCount-- > 0 )
{
Expand All @@ -171,8 +171,11 @@ int RMFDataset::DEMDecompress( const GByte* pabyIn, GUInt32 nSizeIn,

if ( nCount-- == 0 )
{
pabyTempIn++;
nSizeIn--;
if( nSizeIn )
{
pabyTempIn++;
nSizeIn--;
}
break;
}

Expand All @@ -199,11 +202,11 @@ int RMFDataset::DEMDecompress( const GByte* pabyIn, GUInt32 nSizeIn,
break;

case TYPE_INT12:
if ( nSizeIn < 3 * nCount / 2 )
if ( nSizeIn < (3 * nCount + 1) / 2 )
break;
if ( nSizeOut < nCount )
break;
nSizeIn -= 3 * nCount / 2;
nSizeIn -= (3 * nCount + 1) / 2;
nSizeOut -= nCount;

while ( nCount-- > 0 )
Expand All @@ -216,8 +219,11 @@ int RMFDataset::DEMDecompress( const GByte* pabyIn, GUInt32 nSizeIn,

if ( nCount-- == 0 )
{
pabyTempIn++;
nSizeIn--;
if( nSizeIn )
{
pabyTempIn++;
nSizeIn--;
}
break;
}

Expand Down

0 comments on commit eab1b03

Please sign in to comment.