bmp: Fix an integer overflow in DecodeColormap

Return an error if n_colors * samples overflows.

This commit also adds a reproducer that will cause
pixbuf-randomly-modified to crash in the absence of
the patch.

https://bugzilla.gnome.org/show_bug.cgi?id=768688

2 files changed, 12 insertions, 3 deletions

diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index f412997eb..748ebae57 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -518,12 +518,16 @@ static gboolean DecodeColormap (guchar *buff,
 {
 	gint i;
 	gint samples;
+	guint newbuffersize;
 
 	g_assert (State->read_state == READ_STATE_PALETTE);
 
 	samples = (State->Header.size == 12 ? 3 : 4);
-	if (State->BufferSize < State->Header.n_colors * samples) {
-		State->BufferSize = State->Header.n_colors * samples;
+	newbuffersize = State->Header.n_colors * samples;
+	if (newbuffersize / samples != State->Header.n_colors) /* Integer overflow check */
+		return FALSE;
+	if (State->BufferSize < newbuffersize) {
+		State->BufferSize = newbuffersize;
 		if (!grow_buffer (State, error))
 			return FALSE;
 		return TRUE;
@@ -1247,8 +1251,13 @@ gdk_pixbuf__bmp_image_load_increment(gpointer data,
 			break;
 
 		case READ_STATE_PALETTE:
-			if (!DecodeColormap (context->buff, context, error))
+			if (!DecodeColormap (context->buff, context, error)) {
+				g_set_error (error,
+					     GDK_PIXBUF_ERROR,
+					     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+					     _("Error while decoding colormap"));
 				return FALSE;
+			}
 			break;
 
 		case READ_STATE_BITMASKS:
diff --git a/tests/test-images/randomly-modified/decodecolormap.bmp b/tests/test-images/randomly-modified/decodecolormap.bmp
new file mode 100644
index 000000000..dc537dfec
--- /dev/null
+++ b/tests/test-images/randomly-modified/decodecolormap.bmp