Commit df2b0aca authored by Simon Budig's avatar Simon Budig
Browse files

Harden the BMP plugin against integer overflows.

Issues discovered by Stefan Cornelius, Secunia Research, advisory SA37232
and CVE identifier CVE-2009-1570. Fixes bug #600484.
parent b8c28ab2
......@@ -424,7 +424,8 @@ ReadBMP (const gchar *name,
return -1;
}
if (Bitmap_Head.biWidth < 0)
if (Bitmap_Head.biWidth < 0 ||
ABS (Bitmap_Head.biHeight) < 0)
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("'%s' is not a valid BMP file"),
......@@ -448,6 +449,18 @@ ReadBMP (const gchar *name,
return -1;
}
/* protect against integer overflows caused by malicious BMPs */
if (((guint64) Bitmap_Head.biWidth) * Bitmap_Head.biBitCnt > G_MAXINT32 ||
((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) > G_MAXINT32 ||
((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) * 4 > G_MAXINT32)
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("'%s' is not a valid BMP file"),
gimp_filename_to_utf8 (filename));
return -1;
}
/* Windows and OS/2 declare filler so that rows are a multiple of
* word length (32 bits == 4 bytes)
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment