diff options
author | John Mark Bell <jmb@netsurf-browser.org> | 2010-12-16 01:24:12 +0000 |
---|---|---|
committer | John Mark Bell <jmb@netsurf-browser.org> | 2010-12-16 01:24:12 +0000 |
commit | 6b213cafe047ba6d2d2ffca800d634b6a1af4037 (patch) | |
tree | e8512163cf19b2c3ed4bb0adc6d54ba549c65634 | |
parent | a24b8eec96b21d6d225f1795e8f50f7b54a30adf (diff) | |
download | libnsbmp-6b213cafe047ba6d2d2ffca800d634b6a1af4037.tar.gz libnsbmp-6b213cafe047ba6d2d2ffca800d634b6a1af4037.tar.bz2 |
Fix bug #3128147: range check bitmap data size and header offset in .ico handling
svn path=/trunk/libnsbmp/; revision=11072
-rw-r--r-- | src/libnsbmp.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/libnsbmp.c b/src/libnsbmp.c index d47792e..2d861bd 100644 --- a/src/libnsbmp.c +++ b/src/libnsbmp.c @@ -258,9 +258,20 @@ bmp_result ico_analyse(ico_collection *ico, size_t size, uint8_t *data) { image->bmp.bmp_data = ico->ico_data + read_uint32(data, 12); image->bmp.ico = true; data += ICO_DIR_ENTRY_SIZE; + + /* Ensure that the bitmap data resides in the buffer */ + if (image->bmp.bmp_data - ico->ico_data >= ico->buffer_size) + return BMP_DATA_ERROR; + + /* Ensure that we have sufficient data to read the bitmap */ + if (image->bmp.buffer_size - ICO_DIR_ENTRY_SIZE >= + ico->buffer_size - (ico->ico_data - data)) + return BMP_INSUFFICIENT_DATA; + result = bmp_analyse_header(&image->bmp, image->bmp.bmp_data); if (result != BMP_OK) return result; + /* adjust the size based on the images available */ area = image->bmp.width * image->bmp.height; if (area > max_area) { |