Commit df2b0aca authored by Simon Budig's avatar Simon Budig

Harden the BMP plugin against integer overflows.

Issues discovered by Stefan Cornelius, Secunia Research, advisory SA37232
and CVE identifier CVE-2009-1570. Fixes bug #600484.
parent b8c28ab2
......@@ -424,7 +424,8 @@ ReadBMP (const gchar *name,
return -1;
}
if (Bitmap_Head.biWidth < 0)
if (Bitmap_Head.biWidth < 0 ||
ABS (Bitmap_Head.biHeight) < 0)
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("'%s' is not a valid BMP file"),
......@@ -448,6 +449,18 @@ ReadBMP (const gchar *name,
return -1;
}
/* protect against integer overflows caused by malicious BMPs */
if (((guint64) Bitmap_Head.biWidth) * Bitmap_Head.biBitCnt > G_MAXINT32 ||
((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) > G_MAXINT32 ||
((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) * 4 > G_MAXINT32)
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("'%s' is not a valid BMP file"),
gimp_filename_to_utf8 (filename));
return -1;
}
/* Windows and OS/2 declare filler so that rows are a multiple of
* word length (32 bits == 4 bytes)
*/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment