Commit b7bf6fbf authored by Matthias Clasen's avatar Matthias Clasen

bmp: Reject impossible palette size

bmp headers contain separate fields for the number of colors,
and the bit depth. Catch the impossible n_colors > 1 << depth
and error early, before it causes a out-of-bounds memory
access when decoding the colormap.

https://bugzilla.gnome.org/show_bug.cgi?id=758991
parent ca74893a
......@@ -325,6 +325,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("BMP image has unsupported depth"));
State->read_state = READ_STATE_ERROR;
return FALSE;
}
if (State->Header.size == 12)
......@@ -332,6 +333,16 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
else
clrUsed = (int) (BIH[35] << 24) + (BIH[34] << 16) + (BIH[33] << 8) + (BIH[32]);
if (clrUsed > (1 << State->Header.depth))
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("BMP image has oversize palette"));
State->read_state = READ_STATE_ERROR;
return FALSE;
}
if (clrUsed != 0)
State->Header.n_colors = clrUsed;
else
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment