From 5906e0861c7a7e04b392c4338e78acd43d2c6f69 Mon Sep 17 00:00:00 2001 From: Robert Osfield Date: Thu, 6 Dec 2007 17:44:56 +0000 Subject: [PATCH] From Farshid Lashkari, "The bmp writer crashes in certain cases. It happens when the computed size of the image data is greater than the actual image size. This causes the memcpy call to go out of the array bounds. I modified the code so that it copies the data during the iteration, instead of memcpy'ing. This fixes the problems i was having. If you are curious, the writer was crashing when trying to write an RGB image that was 2050 x 1280. You might be able to reproduce it by allocating an empty image of that size and writing it to a file." --- src/osgPlugins/bmp/ReaderWriterBMP.cpp | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/osgPlugins/bmp/ReaderWriterBMP.cpp b/src/osgPlugins/bmp/ReaderWriterBMP.cpp index fa0cb5bc7..88c053dda 100644 --- a/src/osgPlugins/bmp/ReaderWriterBMP.cpp +++ b/src/osgPlugins/bmp/ReaderWriterBMP.cpp @@ -420,20 +420,19 @@ class ReaderWriterBMP : public osgDB::ReaderWriter // 1) swap Blue with Red - needed for Windoss. const unsigned char* data = img.data(); unsigned char *dta=new unsigned char[size]; - unsigned char tmp; // we need to case between different number of components switch(img.computeNumComponents(img.getPixelFormat())) { case(3) : { - memcpy(dta,img.data(),size*sizeof(unsigned char)); for(unsigned int i=0;i