freemyipod r649 - Code Review

Repository:	freemyipod
Revision:	< r648‎ \| r649 \| r650 >
Date:	02:35, 4 March 2011
Author:	theseven
Status:	new
Tags:
Comment:	libpng: Fix some IDAT compression handling bugs
Modified paths:	/libs/png/png.c (modified) (history) /libs/png/tinflate.c (modified) (history)

Diff [purge]

Index: libs/png/png.c
—	—	@@ -166,9 +166,9 @@
167	167	if (!idat)
168	168	{
169	169	info.idat = in - 8;
170		~~- info.idatlen += length + 12;~~
171	170	idat = 1;
172	171	}
	172	+ info.idatlen += length + 12;
173	173	in += length;
174	174	break;
175	175	case PNG_CHUNK_IEND:
Index: libs/png/tinflate.c
—	—	@@ -60,10 +60,10 @@
61	61	*/
62	62
63	63
64		~~-//#define DEBUG_CONSOLES 2~~
65		~~-//#define DEBUG_PRINT_SOURCE_LINE~~
66		-
	64	+//#define DEBUG_CONSOLES 2
	65	+//#define DEBUG_PRINT_SOURCE_LINE
67	66
	67	+
68	68	#include "emcorelib.h"
69	69	#include "tinf.h"
70	70
—	—	@@ -227,27 +227,29 @@
228	228	// d->bytecount, d->bitcount, d->source);
229	229
230	230	/* check if tag is empty */
231		~~- if (!--d->bitcount)~~
	231	+ if (!d->bitcount)
232	232	{
233		~~- while (!--d->bytecount)~~
	233	+ while (!d->bytecount)
234	234	{
235	235	DEBUGF("tinf_getbit: refilling bytes");
236		~~- DEBUGF("tinf_getbit: bytecount=%d, bitcount=%d, source=0x%08X",~~
237		~~- d->bytecount, d->bitcount, d->source);~~
	236	+ DEBUGF("tinf_getbit: bytecount=%d, bitcount=%d, source=0x%08X",
	237	+ d->bytecount, d->bitcount, d->source);
238	238	d->bytecount = (d->source[4] << 24) \| (d->source[5] << 16)
239	239	\| (d->source[6] << 8) \| d->source[7];
240	240	d->source += 12;
241		~~- DEBUGF("tinf_getbit: bytecount=%d, bitcount=%d, source=0x%08X",~~
242		~~- d->bytecount, d->bitcount, d->source);~~
	241	+ DEBUGF("tinf_getbit: bytecount=%d, bitcount=%d, source=0x%08X",
	242	+ d->bytecount, d->bitcount, d->source);
243	243	}
244	244	/* load next tag */
245	245	d->tag = *d->source++;
246	246	d->bitcount = 8;
	247	+ d->bytecount--;
247	248	}
248	249
249	250	/* shift bit out of tag */
250	251	bit = d->tag & 1;
251	252	d->tag >>= 1;
	253	+ d->bitcount--;
252	254
253	255	// DEBUGF("tinf_getbit: returning bit %d", bit);
254	256	return bit;
—	—	@@ -479,9 +481,9 @@
480	482	int bfinal;
481	483
482	484	d.source = (const unsigned char *)(source + 10);
483		~~- d.bitcount = 1;~~
	485	+ d.bitcount = 0;
484	486	d.bytecount = ((d.source[-10] << 24) \| (d.source[-9] << 16)
485		~~- \| (d.source[-8] << 8) \| d.source[-7]) + 1;~~
	487	+ \| (d.source[-8] << 8) \| d.source[-7]) - 2;
486	488
487	489	d.dest = (unsigned char *)dest;
488	490	d.destLen = destLen;
—	—	@@ -524,8 +526,20 @@
525	527	if (res) return res;
526	528
527	529	if (d.source > (unsigned char *)source + sourceLen)
	530	+ {
	531	+ DEBUGF("tinf_uncompress: Hit end of buffer! (source=0x%08X, len=%d, current=0x%08X)",
	532	+ source, sourceLen, d.source);
528	533	return -7;
	534	+ }
529	535	} while (!bfinal);
530	536
	537	+ d.bytecount -= 4;
	538	+
	539	+ if (d.bytecount)
	540	+ {
	541	+ DEBUGF("tinf_uncompress: %d leftover bytes, %d bits!", d.bytecount, d.bitcount);
	542	+ return -8;
	543	+ }
	544	+
531	545	return 0;
532	546	}

freemyipod r649 - Code Review

Diff [purge]

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Info

Reverse engineering Results

Exploiting

Other Guides

Tools