summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Mark Bell <jmb@netsurf-browser.org>2010-12-16 01:24:12 +0000
committerJohn Mark Bell <jmb@netsurf-browser.org>2010-12-16 01:24:12 +0000
commit6b213cafe047ba6d2d2ffca800d634b6a1af4037 (patch)
treee8512163cf19b2c3ed4bb0adc6d54ba549c65634
parenta24b8eec96b21d6d225f1795e8f50f7b54a30adf (diff)
downloadlibnsbmp-6b213cafe047ba6d2d2ffca800d634b6a1af4037.tar.gz
libnsbmp-6b213cafe047ba6d2d2ffca800d634b6a1af4037.tar.bz2
Fix bug #3128147: range check bitmap data size and header offset in .ico handling
svn path=/trunk/libnsbmp/; revision=11072
-rw-r--r--src/libnsbmp.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index d47792e..2d861bd 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -258,9 +258,20 @@ bmp_result ico_analyse(ico_collection *ico, size_t size, uint8_t *data) {
image->bmp.bmp_data = ico->ico_data + read_uint32(data, 12);
image->bmp.ico = true;
data += ICO_DIR_ENTRY_SIZE;
+
+ /* Ensure that the bitmap data resides in the buffer */
+ if (image->bmp.bmp_data - ico->ico_data >= ico->buffer_size)
+ return BMP_DATA_ERROR;
+
+ /* Ensure that we have sufficient data to read the bitmap */
+ if (image->bmp.buffer_size - ICO_DIR_ENTRY_SIZE >=
+ ico->buffer_size - (ico->ico_data - data))
+ return BMP_INSUFFICIENT_DATA;
+
result = bmp_analyse_header(&image->bmp, image->bmp.bmp_data);
if (result != BMP_OK)
return result;
+
/* adjust the size based on the images available */
area = image->bmp.width * image->bmp.height;
if (area > max_area) {