diff options
author | Bastien Nocera <hadess@hadess.net> | 2017-07-13 22:13:36 +0200 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2017-07-13 22:13:36 +0200 |
commit | b92030b46ec0d4b7a38c0a9b79bcca5dd3aed5c6 (patch) | |
tree | f423b01cdcc081d0a2e4b0918e08bd1afea5c841 | |
parent | e08c11540bec325189b621666b1fa5e58178693d (diff) | |
download | gdk-pixbuf-b92030b46ec0d4b7a38c0a9b79bcca5dd3aed5c6.tar.gz |
ico: Fix possible offset overflow
In case the offset is MAXINT, don't try to get a header size past it.
https://bugzilla.gnome.org/show_bug.cgi?id=776040
-rw-r--r-- | gdk-pixbuf/io-ico.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c index b7945dec2..e5444640c 100644 --- a/gdk-pixbuf/io-ico.c +++ b/gdk-pixbuf/io-ico.c @@ -326,7 +326,9 @@ static void DecodeHeader(guchar *Data, gint Bytes, for (l = State->entries; l != NULL; l = g_list_next (l)) { entry = l->data; - if (entry->DIBoffset < 0) { + /* We check whether the HeaderSize (int) would overflow */ + if (entry->DIBoffset > INT_MAX - INFOHEADER_SIZE) + { g_set_error (error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, |