bmp: be a bit more restrictive in input depths

For OS/2 BMP 1.0 files, the spec says only 1/4/8/24 bit images are supported, so ignore other depths as invalid. oss-fuzz pointed out: gd_bmp.c:670:22: runtime error: shift exponent 12803 is too large for 32-bit type 'int'
author: Mike Frysinger <vapier@gentoo.org> 2018-01-26 21:53:05 -0500
committer: Mike Frysinger <vapier@gentoo.org> 2018-01-26 21:53:05 -0500
commit: 5618b9e82ad392b22a31bf1741eb0ee017626b95 (patch)
tree: 9cb305619491477ef608ee035d2077ca04059103 /src/gd_bmp.c
parent: f0a059be6c36a0b2fce42b3c195d2d87f3d3420d (diff)
download: libgd-5618b9e82ad392b22a31bf1741eb0ee017626b95.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/src/gd_bmp.c b/src/gd_bmp.c
index 7b29c1a..bbc2d26 100644
--- a/src/gd_bmp.c
+++ b/src/gd_bmp.c
@@ -667,11 +667,16 @@ static int bmp_read_os2_v1_info(gdIOCtxPtr infile, bmp_info_t *info)
 	/* OS2 v1 doesn't support topdown */
 	info->topdown = 0;
 
+	/* The spec says the depth can only be a few value values. */
+	if (info->depth != 1 && info->depth != 4 && info->depth != 8 &&
+	        info->depth != 16 && info->depth != 24) {
+		return 1;
+	}
+
 	info->numcolors = 1 << info->depth;
 	info->type = BMP_PALETTE_3;
 
-	if (info->width <= 0 || info->height <= 0 || info->numplanes <= 0 ||
-	        info->depth <= 0 || info->numcolors < 0) {
+	if (info->width <= 0 || info->height <= 0 || info->numplanes <= 0) {
 		return 1;
 	}
author	Mike Frysinger <vapier@gentoo.org>	2018-01-26 21:53:05 -0500
committer	Mike Frysinger <vapier@gentoo.org>	2018-01-26 21:53:05 -0500
commit	5618b9e82ad392b22a31bf1741eb0ee017626b95 (patch)
tree	9cb305619491477ef608ee035d2077ca04059103 /src/gd_bmp.c
parent	f0a059be6c36a0b2fce42b3c195d2d87f3d3420d (diff)
download	libgd-5618b9e82ad392b22a31bf1741eb0ee017626b95.tar.gz