# HG changeset patch # User Sam Lantinga # Date 1228688716 0 # Node ID 6c3fbeb04eca29c5a185b4c4e30115bc00089e4c # Parent 43691ef701768f9ff419dce2da93d261fb1311a5 Fixed crash in testpalette and potential crash in SDL_LoadBMP_RW() diff -r 43691ef70176 -r 6c3fbeb04eca src/video/SDL_bmp.c --- a/src/video/SDL_bmp.c Sun Dec 07 22:04:24 2008 +0000 +++ b/src/video/SDL_bmp.c Sun Dec 07 22:25:16 2008 +0000 @@ -218,6 +218,20 @@ if (biClrUsed == 0) { biClrUsed = 1 << biBitCount; } + if (biClrUsed > palette->ncolors) { + palette->ncolors = biClrUsed; + palette->colors = + (SDL_Color *) SDL_realloc(palette->colors, + palette->ncolors * + sizeof(*palette->colors)); + if (!palette->colors) { + SDL_OutOfMemory(); + was_error = 1; + goto done; + } + } else if (biClrUsed < palette->ncolors) { + palette->ncolors = biClrUsed; + } if (biSize == 12) { for (i = 0; i < (int) biClrUsed; ++i) { SDL_RWread(src, &palette->colors[i].b, 1, 1); diff -r 43691ef70176 -r 6c3fbeb04eca test/testpalette.c --- a/test/testpalette.c Sun Dec 07 22:04:24 2008 +0000 +++ b/test/testpalette.c Sun Dec 07 22:25:16 2008 +0000 @@ -189,6 +189,8 @@ SDL_SetColorKey(boat[0], SDL_SRCCOLORKEY | SDL_RLEACCEL, SDL_MapRGB(boat[0]->format, 0xff, 0x00, 0xff)); boatcols = boat[0]->format->palette->ncolors; + if (boatcols >= 256) + sdlerr("too many colors in sail.bmp"); boat[1] = hflip(boat[0]); SDL_SetColorKey(boat[1], SDL_SRCCOLORKEY | SDL_RLEACCEL, SDL_MapRGB(boat[1]->format, 0xff, 0x00, 0xff));