Commit 6e8ff603 authored by Nils Philippsen's avatar Nils Philippsen

Use more defensive coding in plausibility check.

Use an equivalent division instead of multiplying values and checking if
they are more than G_MAXINT32, because divisions cannot overflow.
(cherry picked from commit f63ba36d)
parent 0214e1ff
......@@ -452,10 +452,10 @@ ReadBMP (const gchar *name,
}
/* protect against integer overflows caused by malicious BMPs */
/* use divisions in comparisons to avoid type overflows */
if (((guint64) Bitmap_Head.biWidth) * Bitmap_Head.biBitCnt > G_MAXINT32 ||
((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) > G_MAXINT32 ||
((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) * 4 > G_MAXINT32)
if (((guint64) Bitmap_Head.biWidth) > G_MAXINT32 / Bitmap_Head.biBitCnt ||
((guint64) Bitmap_Head.biWidth) > (G_MAXINT32 / ABS (Bitmap_Head.biHeight)) / 4)
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("'%s' is not a valid BMP file"),
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment