diff options
author | Vincent Sanders <vince@kyllikki.org> | 2016-08-22 21:02:53 +0100 |
---|---|---|
committer | Vincent Sanders <vince@kyllikki.org> | 2016-08-22 21:02:53 +0100 |
commit | 9d21a4b86283aa5618f34988e50b5f6ef67406f1 (patch) | |
tree | 4840ebc02cf3e3a27e838b9080bef32b05b66786 | |
parent | 6454650532ae2f109fb668f716317fdda3ee7d20 (diff) | |
download | libnsbmp-9d21a4b86283aa5618f34988e50b5f6ef67406f1.tar.gz libnsbmp-9d21a4b86283aa5618f34988e50b5f6ef67406f1.tar.bz2 |
cope with bmp headers close to UINT32_MAX
-rw-r--r-- | src/libnsbmp.c | 26 | ||||
-rw-r--r-- | test/bmp/bad_info_header_size.bmp | bin | 0 -> 1672 bytes | |||
-rw-r--r-- | test/bmp/int_min_height.bmp | bin | 0 -> 1668 bytes |
3 files changed, 18 insertions, 8 deletions
diff --git a/src/libnsbmp.c b/src/libnsbmp.c index dc18a50..6483974 100644 --- a/src/libnsbmp.c +++ b/src/libnsbmp.c @@ -37,11 +37,14 @@ /* squashes unused variable compiler warnings */ #define UNUSED(x) ((x)=(x)) -/* BMP flags */ +/* BMP entry sizes */ #define BMP_FILE_HEADER_SIZE 14 #define ICO_FILE_HEADER_SIZE 6 #define ICO_DIR_ENTRY_SIZE 16 +/* the bitmap information header types (encoded as lengths) */ +#define BITMAPCOREHEADER 12 + #ifdef WE_NEED_INT8_READING_NOW static inline int8_t read_int8(uint8_t *data, unsigned int o) { return (int8_t) data[o]; @@ -81,15 +84,22 @@ static bmp_result bmp_info_header_parse(bmp_image *bmp, uint8_t *data) uint8_t palette_size; unsigned int flags = 0; - /* a variety of different bitmap headers can follow, depending - * on the BMP variant. A full description of the various headers - * can be found at - * http://msdn.microsoft.com/en-us/library/ms532301(VS.85).aspx - */ + /* must be at least enough data for a core header */ + if (bmp->buffer_size < (BMP_FILE_HEADER_SIZE + BITMAPCOREHEADER)) { + return BMP_INSUFFICIENT_DATA; + } + header_size = read_uint32(data, 0); - if (bmp->buffer_size < (14 + header_size)) + + /* ensure there is enough data for the declared header size*/ + if ((bmp->buffer_size - BMP_FILE_HEADER_SIZE) < header_size) { return BMP_INSUFFICIENT_DATA; - if (header_size == 12) { + } + + /* a variety of different bitmap headers can follow, depending + * on the BMP variant. The header length field determines the type. + */ + if (header_size == BITMAPCOREHEADER) { /* the following header is for os/2 and windows 2.x and consists of: * * +0 UINT32 size of this header (in bytes) diff --git a/test/bmp/bad_info_header_size.bmp b/test/bmp/bad_info_header_size.bmp Binary files differnew file mode 100644 index 0000000..01732c8 --- /dev/null +++ b/test/bmp/bad_info_header_size.bmp diff --git a/test/bmp/int_min_height.bmp b/test/bmp/int_min_height.bmp Binary files differnew file mode 100644 index 0000000..792bbb7 --- /dev/null +++ b/test/bmp/int_min_height.bmp |