FreeImage icon indicating copy to clipboard operation
FreeImage copied to clipboard
verified publisher icon danoli3

Potential regression in LoadPixelDataRLE8 since 3.19.0

Open thbeu opened this issue 1 year ago • 2 comments

FreeImage_LoadU fails to load the 8-bit image with the changes of f458b911498991db598ffa4d353adfcbb30c2c5f applied to LoadPixelDataRLE8 in file PluginBMP.cpp. If I revert the changes of just this single function, the image can be loaded successfully again.

Note, that this return FALSE; statement at the very end of the function causes the loading to fail: https://github.com/danoli3/FreeImage/blob/f458b911498991db598ffa4d353adfcbb30c2c5f/Source/FreeImage/PluginBMP.cpp#L507

What I tried:

  1. Changing that statement to return TRUE; obviously resolves the issue (while the case RLE_ENDOFBITMAP still is not handled in the while loop).

  2. Increasing the loop count causes the RLE_ENDOFBITMAP case to be triggered successfully.

--- a/Source/FreeImage/PluginBMP.cpp
+++ b/Source/FreeImage/PluginBMP.cpp
@@ -432,7 +432,7 @@ LoadPixelDataRLE8(FreeImageIO *io, fi_handle handle, int width, int height, FIBI
 
 	height = abs(height);
 	
-	while(scanline < height) {
+	while(scanline <= height) {
 
 		if (io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
 			return FALSE;

@danoli3 Can you please confirm if this is an actual regression! Thank you!

thbeu avatar Dec 30 '24 12:12 thbeu

Edit: I see that https://sourceforge.net/p/freeimage/svn/1832/ introduced this change, probably to fix https://sourceforge.net/p/freeimage/bugs/298/ (probably because of CVE-2020-21427).

thbeu avatar Dec 30 '24 12:12 thbeu

Edit: Now also reported as https://sourceforge.net/p/freeimage/bugs/387/.

thbeu avatar Dec 30 '24 13:12 thbeu