[gdk-pixbuf/gdk-pixbuf-2-32] bmp: Reject impossible palette size

[Matthias Clasen <matthiasc src gnome org>]

commit 83b50400a938c648ea6f4469ef306caffeca05fb
Author: Matthias Clasen <mclasen redhat com>
Date:   Sat Dec 5 16:35:30 2015 -0500

    bmp: Reject impossible palette size
    
    bmp headers contain separate fields for the number of colors,
    and the bit depth. Catch the impossible n_colors > 1 << depth
    and error early, before it causes a out-of-bounds memory
    access when decoding the colormap.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=758991

 gdk-pixbuf/io-bmp.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)
---
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 5c30bfb..f412997 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -325,6 +325,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
                                      _("BMP image has unsupported depth"));
                State->read_state = READ_STATE_ERROR;
+               return FALSE;
           }
 
        if (State->Header.size == 12)
@@ -332,6 +333,16 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
        else
                clrUsed = (int) (BIH[35] << 24) + (BIH[34] << 16) + (BIH[33] << 8) + (BIH[32]);
 
+        if (clrUsed > (1 << State->Header.depth))
+          {
+               g_set_error_literal (error,
+                                     GDK_PIXBUF_ERROR,
+                                     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                     _("BMP image has oversize palette"));
+               State->read_state = READ_STATE_ERROR;
+               return FALSE;
+          }
+
        if (clrUsed != 0)
                State->Header.n_colors = clrUsed;
        else