Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Staging:A
gdk-pixbuf
gdk-pixbuf-bgo769738-bmp-overflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gdk-pixbuf-bgo769738-bmp-overflow.patch of Package gdk-pixbuf
From 779429ce34e439c01d257444fe9d6739e72a2024 Mon Sep 17 00:00:00 2001 From: Tobias Mueller <gnome-bugs@muelli.cryptobitch.de> Date: Tue, 12 Jul 2016 15:20:00 +0000 Subject: [PATCH] bmp: Detect integer overflow of the line width Instead of risking crashes or OOM, return an error if we detect integer overflow. The commit also includes a test image that triggers this overflow when used with pixbuf-read. https://bugzilla.gnome.org/show_bug.cgi?id=768738 --- gdk-pixbuf/io-bmp.c | 21 ++++++++++++--------- .../randomly-modified/bmp-line-overflow.bmp | Bin 0 -> 74 bytes 2 files changed, 12 insertions(+), 9 deletions(-) create mode 100644 tests/test-images/randomly-modified/bmp-line-overflow.bmp diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c index 748ebae..08e3c76 100644 --- a/gdk-pixbuf/io-bmp.c +++ b/gdk-pixbuf/io-bmp.c @@ -254,6 +254,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH, GError **error) { gint clrUsed; + guint bytesPerPixel; /* First check for the two first bytes content. A sane BMP file must start with bytes 0x42 0x4D. */ @@ -380,15 +381,17 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH, return FALSE; } - if (State->Type == 32) - State->LineWidth = State->Header.width * 4; - else if (State->Type == 24) - State->LineWidth = State->Header.width * 3; - else if (State->Type == 16) - State->LineWidth = State->Header.width * 2; - else if (State->Type == 8) - State->LineWidth = State->Header.width * 1; - else if (State->Type == 4) + if ((State->Type >= 8) && (State->Type <= 32) && (State->Type % 8 == 0)) { + bytesPerPixel = State->Type / 8; + State->LineWidth = State->Header.width * bytesPerPixel; + if (State->Header.width != State->LineWidth / bytesPerPixel) { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("BMP image width too large")); + return FALSE; + } + } else if (State->Type == 4) State->LineWidth = (State->Header.width + 1) / 2; else if (State->Type == 1) { State->LineWidth = State->Header.width / 8;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor