[gdk-pixbuf] bmp: Error out when bottom-to-top BMP is too high

From: Bastien Nocera <hadess src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdk-pixbuf] bmp: Error out when bottom-to-top BMP is too high
Date: Tue, 13 Dec 2016 17:45:37 +0000 (UTC)

commit a3d6e40e86bc990151f60f8777285d3b7414b4c5
Author: Tobias Mueller <muelli cryptobitch de>
Date:   Mon Nov 28 16:18:42 2016 +0100

    bmp: Error out when bottom-to-top BMP is too high
    
    BMP files with BITMAPV4HEADER can have negative height when the image is
    encoded botton-to-top, but when that negative height is INT_MIN, we
    cannot represent it as a positive integer (|INT_MIN| = INT_MAX + 1).
    Error out in this case.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=775242

 gdk-pixbuf/io-bmp.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 08e3c76..b896a03 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -353,6 +353,14 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 
        /* Negative heights indicates bottom-down pixelorder */
        if (State->Header.height < 0) {
+               if (State->Header.height == INT_MIN) {
+                       g_set_error_literal (error,
+                                            GDK_PIXBUF_ERROR,
+                                            GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                            _("BMP image has bogus header data"));
+                       State->read_state = READ_STATE_ERROR;
+                       return FALSE;
+               }
                State->Header.height = -State->Header.height;
                State->Header.Negative = 1;
        }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]