diff options
author | Matthias Clasen <mclasen@redhat.com> | 2015-12-05 16:35:30 -0500 |
---|---|---|
committer | Matthias Clasen <mclasen@redhat.com> | 2015-12-05 16:35:30 -0500 |
commit | b7bf6fbfb310fceba2d35d4de143b8d5ffdad990 (patch) | |
tree | 2d0ef5927f0626e39e7d42744c8871ff2b260df7 | |
parent | ca74893a8e06e99b4adc682ee1550bfd020687c7 (diff) | |
download | gdk-pixbuf-b7bf6fbfb310fceba2d35d4de143b8d5ffdad990.tar.gz |
bmp: Reject impossible palette size
bmp headers contain separate fields for the number of colors,
and the bit depth. Catch the impossible n_colors > 1 << depth
and error early, before it causes a out-of-bounds memory
access when decoding the colormap.
https://bugzilla.gnome.org/show_bug.cgi?id=758991
-rw-r--r-- | gdk-pixbuf/io-bmp.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c index 5c30bfbba..f412997eb 100644 --- a/gdk-pixbuf/io-bmp.c +++ b/gdk-pixbuf/io-bmp.c @@ -325,6 +325,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, _("BMP image has unsupported depth")); State->read_state = READ_STATE_ERROR; + return FALSE; } if (State->Header.size == 12) @@ -332,6 +333,16 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH, else clrUsed = (int) (BIH[35] << 24) + (BIH[34] << 16) + (BIH[33] << 8) + (BIH[32]); + if (clrUsed > (1 << State->Header.depth)) + { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("BMP image has oversize palette")); + State->read_state = READ_STATE_ERROR; + return FALSE; + } + if (clrUsed != 0) State->Header.n_colors = clrUsed; else |