bmp: Reject bogus depth

Erroring out early if we find a bogus image depth is the right thing to do, and avoids possible memory overruns later on. https://bugzilla.gnome.org/show_bug.cgi?id=747605
author: Matthias Clasen <mclasen@redhat.com> 2015-12-05 15:49:32 -0500
committer: Matthias Clasen <mclasen@redhat.com> 2015-12-14 07:02:12 -0500
commit: 075bc1b08a64a064edc4890454a108680f23f798 (patch)
tree: bcfa8b052a1b591561b4a02f3e6f61a1f8636832
parent: 08934635023ff47e27d43f59c3ca53c1b9e3652f (diff)
download: gdk-pixbuf-075bc1b08a64a064edc4890454a108680f23f798.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 1f197e83d..5c30bfbba 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -318,6 +318,15 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 		return FALSE;
 	}
 
+        if (State->Header.depth > 32)
+          {
+		g_set_error_literal (error,
+                                     GDK_PIXBUF_ERROR,
+                                     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                     _("BMP image has unsupported depth"));
+		State->read_state = READ_STATE_ERROR;
+          }
+
 	if (State->Header.size == 12)
 		clrUsed = 1 << State->Header.depth;
 	else
author	Matthias Clasen <mclasen@redhat.com>	2015-12-05 15:49:32 -0500
committer	Matthias Clasen <mclasen@redhat.com>	2015-12-14 07:02:12 -0500
commit	075bc1b08a64a064edc4890454a108680f23f798 (patch)
tree	bcfa8b052a1b591561b4a02f3e6f61a1f8636832
parent	08934635023ff47e27d43f59c3ca53c1b9e3652f (diff)
download	gdk-pixbuf-075bc1b08a64a064edc4890454a108680f23f798.tar.gz