From 6b213cafe047ba6d2d2ffca800d634b6a1af4037 Mon Sep 17 00:00:00 2001
From: John Mark Bell <jmb@netsurf-browser.org>
Date: Thu, 16 Dec 2010 01:24:12 +0000
Subject: Fix bug #3128147: range check bitmap data size and header offset in
 .ico handling

svn path=/trunk/libnsbmp/; revision=11072
---
 src/libnsbmp.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'src')

diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index d47792e..2d861bd 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -258,9 +258,20 @@ bmp_result ico_analyse(ico_collection *ico, size_t size, uint8_t *data) {
 		image->bmp.bmp_data = ico->ico_data + read_uint32(data, 12);
 		image->bmp.ico = true;
 		data += ICO_DIR_ENTRY_SIZE;
+
+		/* Ensure that the bitmap data resides in the buffer */
+		if (image->bmp.bmp_data - ico->ico_data >= ico->buffer_size)
+			return BMP_DATA_ERROR;
+
+		/* Ensure that we have sufficient data to read the bitmap */
+		if (image->bmp.buffer_size - ICO_DIR_ENTRY_SIZE >= 
+		    ico->buffer_size - (ico->ico_data - data))
+			return BMP_INSUFFICIENT_DATA;
+
 		result = bmp_analyse_header(&image->bmp, image->bmp.bmp_data);
 		if (result != BMP_OK)
 			return result;
+
 		/* adjust the size based on the images available */
 		area = image->bmp.width * image->bmp.height;
 		if (area > max_area) {
-- 
cgit v1.2.3