[gdk-pixbuf] bmp: Fix an integer overflow in DecodeColormap

From: Matthias Clasen <matthiasc src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdk-pixbuf] bmp: Fix an integer overflow in DecodeColormap
Date: Tue, 2 Aug 2016 17:16:30 +0000 (UTC)

commit b69009f2a2de151103ed87e9594615ba0fe72daf
Author: Tobias Mueller <gnome-bugs muelli cryptobitch de>
Date:   Mon Jul 11 17:01:00 2016 +0000

    bmp: Fix an integer overflow in DecodeColormap
    
    Return an error if n_colors * samples overflows.
    
    This commit also adds a reproducer that will cause
    pixbuf-randomly-modified to crash in the absence of
    the patch.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=768688

 gdk-pixbuf/io-bmp.c                                |   15 ++++++++++++---
 .../randomly-modified/decodecolormap.bmp           |  Bin 0 -> 118 bytes
 2 files changed, 12 insertions(+), 3 deletions(-)
---
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index f412997..748ebae 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -518,12 +518,16 @@ static gboolean DecodeColormap (guchar *buff,
 {
        gint i;
        gint samples;
+       guint newbuffersize;
 
        g_assert (State->read_state == READ_STATE_PALETTE);
 
        samples = (State->Header.size == 12 ? 3 : 4);
-       if (State->BufferSize < State->Header.n_colors * samples) {
-               State->BufferSize = State->Header.n_colors * samples;
+       newbuffersize = State->Header.n_colors * samples;
+       if (newbuffersize / samples != State->Header.n_colors) /* Integer overflow check */
+               return FALSE;
+       if (State->BufferSize < newbuffersize) {
+               State->BufferSize = newbuffersize;
                if (!grow_buffer (State, error))
                        return FALSE;
                return TRUE;
@@ -1247,8 +1251,13 @@ gdk_pixbuf__bmp_image_load_increment(gpointer data,
                        break;
 
                case READ_STATE_PALETTE:
-                       if (!DecodeColormap (context->buff, context, error))
+                       if (!DecodeColormap (context->buff, context, error)) {
+                               g_set_error (error,
+                                            GDK_PIXBUF_ERROR,
+                                            GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                            _("Error while decoding colormap"));
                                return FALSE;
+                       }
                        break;
 
                case READ_STATE_BITMASKS:
diff --git a/tests/test-images/randomly-modified/decodecolormap.bmp 
b/tests/test-images/randomly-modified/decodecolormap.bmp
new file mode 100644
index 0000000..dc537df
Binary files /dev/null and b/tests/test-images/randomly-modified/decodecolormap.bmp differ

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]