bmp: Reject bogus depth

Erroring out early if we find a bogus image depth is the right thing to do, and avoids possible memory overruns later on. https://bugzilla.gnome.org/show_bug.cgi?id=747605
author: Matthias Clasen <mclasen@redhat.com> 2015-12-05 15:49:32 -0500
committer: Matthias Clasen <mclasen@redhat.com> 2015-12-05 15:49:32 -0500
commit: ca74893a8e06e99b4adc682ee1550bfd020687c7 (patch)
tree: 759f3eacb9e402b0de23bc5f3d5a4bb89b3b31b0 /gdk-pixbuf
parent: 3d809a8ad6f30a081265a10911b0464b2027889d (diff)
download: gdk-pixbuf-ca74893a8e06e99b4adc682ee1550bfd020687c7.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 1f197e83d..5c30bfbba 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -318,6 +318,15 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 		return FALSE;
 	}
 
+        if (State->Header.depth > 32)
+          {
+		g_set_error_literal (error,
+                                     GDK_PIXBUF_ERROR,
+                                     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                     _("BMP image has unsupported depth"));
+		State->read_state = READ_STATE_ERROR;
+          }
+
 	if (State->Header.size == 12)
 		clrUsed = 1 << State->Header.depth;
 	else
author	Matthias Clasen <mclasen@redhat.com>	2015-12-05 15:49:32 -0500
committer	Matthias Clasen <mclasen@redhat.com>	2015-12-05 15:49:32 -0500
commit	ca74893a8e06e99b4adc682ee1550bfd020687c7 (patch)
tree	759f3eacb9e402b0de23bc5f3d5a4bb89b3b31b0 /gdk-pixbuf
parent	3d809a8ad6f30a081265a10911b0464b2027889d (diff)
download	gdk-pixbuf-ca74893a8e06e99b4adc682ee1550bfd020687c7.tar.gz