File gdk-pixbuf-bgo768688-bmp-overflow.patch of Package gdk-pixbuf.33887
From b69009f2a2de151103ed87e9594615ba0fe72daf Mon Sep 17 00:00:00 2001
From: Tobias Mueller <gnome-bugs@muelli.cryptobitch.de>
Date: Mon, 11 Jul 2016 17:01:00 +0000
Subject: [PATCH] bmp: Fix an integer overflow in DecodeColormap
Return an error if n_colors * samples overflows.
This commit also adds a reproducer that will cause
pixbuf-randomly-modified to crash in the absence of
the patch.
https://bugzilla.gnome.org/show_bug.cgi?id=768688
---
gdk-pixbuf/io-bmp.c | 15 ++++++++++++---
tests/test-images/randomly-modified/decodecolormap.bmp | Bin 0 -> 118 bytes
2 files changed, 12 insertions(+), 3 deletions(-)
create mode 100644 tests/test-images/randomly-modified/decodecolormap.bmp
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index f412997..748ebae 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -518,12 +518,16 @@ static gboolean DecodeColormap (guchar *buff,
{
gint i;
gint samples;
+ guint newbuffersize;
g_assert (State->read_state == READ_STATE_PALETTE);
samples = (State->Header.size == 12 ? 3 : 4);
- if (State->BufferSize < State->Header.n_colors * samples) {
- State->BufferSize = State->Header.n_colors * samples;
+ newbuffersize = State->Header.n_colors * samples;
+ if (newbuffersize / samples != State->Header.n_colors) /* Integer overflow check */
+ return FALSE;
+ if (State->BufferSize < newbuffersize) {
+ State->BufferSize = newbuffersize;
if (!grow_buffer (State, error))
return FALSE;
return TRUE;
@@ -1247,8 +1251,13 @@ gdk_pixbuf__bmp_image_load_increment(gpointer data,
break;
case READ_STATE_PALETTE:
- if (!DecodeColormap (context->buff, context, error))
+ if (!DecodeColormap (context->buff, context, error)) {
+ g_set_error (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Error while decoding colormap"));
return FALSE;
+ }
break;
case READ_STATE_BITMASKS:
