Fix infinite loop that can occur for bad image data (#150601, Chris Evans,

Fri Aug 20 11:59:10 2004 Owen Taylor <otaylor@redhat.com> * io-bmp.c: Fix infinite loop that can occur for bad image data (#150601, Chris Evans, Manish Singh)
author: Owen Taylor <otaylor@redhat.com> 2004-08-20 17:59:24 +0000
committer: Owen Taylor <otaylor@src.gnome.org> 2004-08-20 17:59:24 +0000
commit: ed60d5f28cf047a7d3c82a6d8ee4fa97da931e45 (patch)
tree: 8393c8cf7e0ae25461676d641e2907ec613b49fc /gdk-pixbuf/io-bmp.c
parent: a1f93eb16c699b60818e950953a50a73fb59759e (diff)
download: gdk-pixbuf-ed60d5f28cf047a7d3c82a6d8ee4fa97da931e45.tar.gz
1 files changed, 11 insertions, 1 deletions
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 82ddba130..015eca8da 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -876,8 +876,18 @@ DoCompressed(struct bmp_progressive_state *context, GError **error)
 	guchar c;
 	gint idx;
 
-	if (context->compr.y >= context->Header.height)
+	/* context->compr.y might be past the last line because we are
+	 * on padding past the end of a valid data, or we might have hit
+	 * out-of-bounds data. Either way we just eat-and-ignore the
+	 * rest of the file. Doing the check only here and not when
+	 * we change y below is fine since BufferSize is always 2 here
+	 * and the BMP file format always starts new data on 16-bit
+	 * boundaries.
+	 */
+	if (context->compr.y >= context->Header.height) {
+		context->BufferDone = 0;
 		return TRUE;
+	}
 
 	y = context->compr.y;
author	Owen Taylor <otaylor@redhat.com>	2004-08-20 17:59:24 +0000
committer	Owen Taylor <otaylor@src.gnome.org>	2004-08-20 17:59:24 +0000
commit	ed60d5f28cf047a7d3c82a6d8ee4fa97da931e45 (patch)
tree	8393c8cf7e0ae25461676d641e2907ec613b49fc /gdk-pixbuf/io-bmp.c
parent	a1f93eb16c699b60818e950953a50a73fb59759e (diff)
download	gdk-pixbuf-ed60d5f28cf047a7d3c82a6d8ee4fa97da931e45.tar.gz