Michael Lotz eec73693e0 PicturePlayer: Rework to be more safe against corrupted data.
This introduces a more sane API (currently private) that allows for
safer and possibly more efficient implementations:

* It uses a struct of named and typed function pointers instead of just
  a void pointer array. This adds type safety to the callbacks so the
  compiler can figure out if things match up before subtle bugs get
  introduced.
* It provides bounds for all strings/buffers passed to the callbacks.
* It uses const references instead of implicitly copying arguments.
* It folds stroke_x/fill_x pairs into draw_x functions with a fill
  argument to reduce the amount of functions needed.
* It uses unsigned values where negative values make no sense.

The old API has been implemented on top of the new one using adapter
functions. It makes copies of all data passed to the callbacks which
effectively keeps the picture data from being modified. This matches
with the R5 behaviour.

This also reimplements the buffer parsing to be safe against corrupted
data by validating that the types actually fit in the provided sizes
and buffers (using a templated reader).

Since this class is used from the app_server with user provided data,
making it more safe is important even though it comes with a slight
overhead (replicating R5 behaviour, i.e. crashing the app_server when
corrupted data is fed, doesn't seem very appropriate here).
2015-09-05 16:09:31 +02:00
..