bmp: Tighten image dimension checks

The rowstride *could* be negative if the pixbuf is invalid. Check that it is valid before using it to sanity check the image's dimensions. See https://bugzilla.gnome.org/show_bug.cgi?id=776694
author: Bastien Nocera <hadess@hadess.net> 2017-07-26 16:33:40 +0200
committer: Bastien Nocera <hadess@hadess.net> 2017-07-26 16:38:30 +0200
commit: 92d2d98c28e26496ceb8a4a825a061a25b1cdf5b (patch)
tree: 10cda9196340486b2ff41459225ac635c3f2fd0d
parent: 9ac5cc0404526b58ac2196ade0f80fd84768003f (diff)
download: gdk-pixbuf-92d2d98c28e26496ceb8a4a825a061a25b1cdf5b.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index e8605058a..e8ccce446 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -433,6 +433,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 
 	if (State->pixbuf == NULL) {
 		guint64 len;
+		int rowstride;
 
 		if (State->size_func) {
 			gint width = State->Header.width;
@@ -472,7 +473,9 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 					       (gint) State->Header.width,
 					       (gint) State->Header.height);
 
-		if (!g_uint64_checked_mul (&len, State->pixbuf->rowstride, State->Header.height) ||
+		rowstride = gdk_pixbuf_get_rowstride (State->pixbuf);
+		if (rowstride <= 0 ||
+		    !g_uint64_checked_mul (&len, rowstride, State->Header.height) ||
 		    len > G_MAXINT) {
 			g_set_error_literal (error,
                                              GDK_PIXBUF_ERROR,
author	Bastien Nocera <hadess@hadess.net>	2017-07-26 16:33:40 +0200
committer	Bastien Nocera <hadess@hadess.net>	2017-07-26 16:38:30 +0200
commit	92d2d98c28e26496ceb8a4a825a061a25b1cdf5b (patch)
tree	10cda9196340486b2ff41459225ac635c3f2fd0d
parent	9ac5cc0404526b58ac2196ade0f80fd84768003f (diff)
download	gdk-pixbuf-92d2d98c28e26496ceb8a4a825a061a25b1cdf5b.tar.gz