File gdk-pixbuf-bgo758991.patch of Package gdk-pixbuf

From b7bf6fbfb310fceba2d35d4de143b8d5ffdad990 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Sat, 5 Dec 2015 16:35:30 -0500
Subject: [PATCH] bmp: Reject impossible palette size

bmp headers contain separate fields for the number of colors,
and the bit depth. Catch the impossible n_colors > 1 << depth
and error early, before it causes a out-of-bounds memory
access when decoding the colormap.

https://bugzilla.gnome.org/show_bug.cgi?id=758991
---
 gdk-pixbuf/io-bmp.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 5c30bfb..f412997 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -325,6 +325,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
                                      _("BMP image has unsupported depth"));
 		State->read_state = READ_STATE_ERROR;
+		return FALSE;
           }
 
 	if (State->Header.size == 12)
@@ -332,6 +333,16 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 	else
 		clrUsed = (int) (BIH[35] << 24) + (BIH[34] << 16) + (BIH[33] << 8) + (BIH[32]);
 
+        if (clrUsed > (1 << State->Header.depth))
+          {
+		g_set_error_literal (error,
+                                     GDK_PIXBUF_ERROR,
+                                     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                     _("BMP image has oversize palette"));
+		State->read_state = READ_STATE_ERROR;
+		return FALSE;
+          }
+
 	if (clrUsed != 0)
 		State->Header.n_colors = clrUsed;
 	else
-- 
2.6.2