Fix infinite loop that can occur for bad image data (#150601, Chris Evans,

Fri Aug 20 11:59:10 2004  Owen Taylor  <otaylor@redhat.com>

        * io-bmp.c: Fix infinite loop that can occur for bad
        image data (#150601, Chris Evans, Manish Singh)

2 files changed, 16 insertions, 1 deletions

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 9bf55a29d..074838f5a 100644
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+Fri Aug 20 11:59:10 2004  Owen Taylor  <otaylor@redhat.com>
+
+	* io-bmp.c: Fix infinite loop that can occur for bad
+	image data (#150601, Chris Evans, Manish Singh)
+
 2004-08-17  Matthias Clasen  <mclasen@redhat.com>
 
 	* abicheck.sh: No need for INCLUDE_INTERNAL_SYMBOLS any more.
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 82ddba130..015eca8da 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -876,8 +876,18 @@ DoCompressed(struct bmp_progressive_state *context, GError **error)
 	guchar c;
 	gint idx;
 
-	if (context->compr.y >= context->Header.height)
+	/* context->compr.y might be past the last line because we are
+	 * on padding past the end of a valid data, or we might have hit
+	 * out-of-bounds data. Either way we just eat-and-ignore the
+	 * rest of the file. Doing the check only here and not when
+	 * we change y below is fine since BufferSize is always 2 here
+	 * and the BMP file format always starts new data on 16-bit
+	 * boundaries.
+	 */
+	if (context->compr.y >= context->Header.height) {
+		context->BufferDone = 0;
 		return TRUE;
+	}
 
 	y = context->compr.y;