[gimp] Harden the BMP plugin against integer overflows.

[Simon Budig <simon src gnome org>]

commit e3afc99b2fa7aeddf0dba4778663160a5bc682d3
Author: Simon Budig <simon gimp org>
Date:   Tue Nov 10 00:08:59 2009 +0100

    Harden the BMP plugin against integer overflows.
    
    Issues discovered by Stefan Cornelius, Secunia Research, advisory SA37232
    and CVE identifier CVE-2009-1570. Fixes bug #600484.

 plug-ins/file-bmp/bmp-read.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)
---
diff --git a/plug-ins/file-bmp/bmp-read.c b/plug-ins/file-bmp/bmp-read.c
index 804c320..cc3b7e8 100644
--- a/plug-ins/file-bmp/bmp-read.c
+++ b/plug-ins/file-bmp/bmp-read.c
@@ -423,7 +423,8 @@ ReadBMP (const gchar  *name,
       return -1;
     }
 
-  if (Bitmap_Head.biWidth < 0)
+  if (Bitmap_Head.biWidth < 0 ||
+      ABS (Bitmap_Head.biHeight) < 0)
     {
       g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
                    _("'%s' is not a valid BMP file"),
@@ -447,6 +448,18 @@ ReadBMP (const gchar  *name,
       return -1;
     }
 
+  /* protect against integer overflows caused by malicious BMPs */
+
+  if (((guint64) Bitmap_Head.biWidth) * Bitmap_Head.biBitCnt > G_MAXINT32 ||
+      ((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) > G_MAXINT32 ||
+      ((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) * 4 > G_MAXINT32)
+    {
+      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                   _("'%s' is not a valid BMP file"),
+                   gimp_filename_to_utf8 (filename));
+      return -1;
+    }
+
   /* Windows and OS/2 declare filler so that rows are a multiple of
    * word length (32 bits == 4 bytes)
    */