Gitweb links:
...log
http://git.netsurf-browser.org/libnsbmp.git/shortlog/9d21a4b86283aa5618f34988e50b5f6ef67406f1
...commit
http://git.netsurf-browser.org/libnsbmp.git/commit/9d21a4b86283aa5618f34988e50b5f6ef67406f1
...tree
http://git.netsurf-browser.org/libnsbmp.git/tree/9d21a4b86283aa5618f34988e50b5f6ef67406f1
The branch, master has been updated
via 9d21a4b86283aa5618f34988e50b5f6ef67406f1 (commit)
from 6454650532ae2f109fb668f716317fdda3ee7d20 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commitdiff
http://git.netsurf-browser.org/libnsbmp.git/commit/?id=9d21a4b86283aa5618f34988e50b5f6ef67406f1
commit 9d21a4b86283aa5618f34988e50b5f6ef67406f1
Author: Vincent Sanders <[email protected]>
Commit: Vincent Sanders <[email protected]>
cope with bmp headers close to UINT32_MAX
diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index dc18a50..6483974 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -37,11 +37,14 @@
/* squashes unused variable compiler warnings */
#define UNUSED(x) ((x)=(x))
-/* BMP flags */
+/* BMP entry sizes */
#define BMP_FILE_HEADER_SIZE 14
#define ICO_FILE_HEADER_SIZE 6
#define ICO_DIR_ENTRY_SIZE 16
+/* the bitmap information header types (encoded as lengths) */
+#define BITMAPCOREHEADER 12
+
#ifdef WE_NEED_INT8_READING_NOW
static inline int8_t read_int8(uint8_t *data, unsigned int o) {
return (int8_t) data[o];
@@ -81,15 +84,22 @@ static bmp_result bmp_info_header_parse(bmp_image *bmp,
uint8_t *data)
uint8_t palette_size;
unsigned int flags = 0;
- /* a variety of different bitmap headers can follow, depending
- * on the BMP variant. A full description of the various headers
- * can be found at
- * http://msdn.microsoft.com/en-us/library/ms532301(VS.85).aspx
- */
+ /* must be at least enough data for a core header */
+ if (bmp->buffer_size < (BMP_FILE_HEADER_SIZE + BITMAPCOREHEADER)) {
+ return BMP_INSUFFICIENT_DATA;
+ }
+
header_size = read_uint32(data, 0);
- if (bmp->buffer_size < (14 + header_size))
+
+ /* ensure there is enough data for the declared header size*/
+ if ((bmp->buffer_size - BMP_FILE_HEADER_SIZE) < header_size) {
return BMP_INSUFFICIENT_DATA;
- if (header_size == 12) {
+ }
+
+ /* a variety of different bitmap headers can follow, depending
+ * on the BMP variant. The header length field determines the type.
+ */
+ if (header_size == BITMAPCOREHEADER) {
/* the following header is for os/2 and windows 2.x and
consists of:
*
* +0 UINT32 size of this header (in bytes)
diff --git a/test/bmp/bad_info_header_size.bmp
b/test/bmp/bad_info_header_size.bmp
new file mode 100644
index 0000000..01732c8
Binary files /dev/null and b/test/bmp/bad_info_header_size.bmp differ
diff --git a/test/bmp/int_min_height.bmp b/test/bmp/int_min_height.bmp
new file mode 100644
index 0000000..792bbb7
Binary files /dev/null and b/test/bmp/int_min_height.bmp differ
-----------------------------------------------------------------------
Summary of changes:
src/libnsbmp.c | 26 ++++++++++++++------
.../{mantis-2446.bmp => bad_info_header_size.bmp} | Bin 1684 -> 1672 bytes
test/bmp/{mantis-2446.bmp => int_min_height.bmp} | Bin 1684 -> 1668 bytes
3 files changed, 18 insertions(+), 8 deletions(-)
copy test/bmp/{mantis-2446.bmp => bad_info_header_size.bmp} (60%)
copy test/bmp/{mantis-2446.bmp => int_min_height.bmp} (60%)
diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index dc18a50..6483974 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -37,11 +37,14 @@
/* squashes unused variable compiler warnings */
#define UNUSED(x) ((x)=(x))
-/* BMP flags */
+/* BMP entry sizes */
#define BMP_FILE_HEADER_SIZE 14
#define ICO_FILE_HEADER_SIZE 6
#define ICO_DIR_ENTRY_SIZE 16
+/* the bitmap information header types (encoded as lengths) */
+#define BITMAPCOREHEADER 12
+
#ifdef WE_NEED_INT8_READING_NOW
static inline int8_t read_int8(uint8_t *data, unsigned int o) {
return (int8_t) data[o];
@@ -81,15 +84,22 @@ static bmp_result bmp_info_header_parse(bmp_image *bmp,
uint8_t *data)
uint8_t palette_size;
unsigned int flags = 0;
- /* a variety of different bitmap headers can follow, depending
- * on the BMP variant. A full description of the various headers
- * can be found at
- * http://msdn.microsoft.com/en-us/library/ms532301(VS.85).aspx
- */
+ /* must be at least enough data for a core header */
+ if (bmp->buffer_size < (BMP_FILE_HEADER_SIZE + BITMAPCOREHEADER)) {
+ return BMP_INSUFFICIENT_DATA;
+ }
+
header_size = read_uint32(data, 0);
- if (bmp->buffer_size < (14 + header_size))
+
+ /* ensure there is enough data for the declared header size*/
+ if ((bmp->buffer_size - BMP_FILE_HEADER_SIZE) < header_size) {
return BMP_INSUFFICIENT_DATA;
- if (header_size == 12) {
+ }
+
+ /* a variety of different bitmap headers can follow, depending
+ * on the BMP variant. The header length field determines the type.
+ */
+ if (header_size == BITMAPCOREHEADER) {
/* the following header is for os/2 and windows 2.x and
consists of:
*
* +0 UINT32 size of this header (in bytes)
diff --git a/test/bmp/mantis-2446.bmp b/test/bmp/bad_info_header_size.bmp
similarity index 60%
copy from test/bmp/mantis-2446.bmp
copy to test/bmp/bad_info_header_size.bmp
index d1e8886..01732c8 100644
Binary files a/test/bmp/mantis-2446.bmp and b/test/bmp/bad_info_header_size.bmp
differ
diff --git a/test/bmp/mantis-2446.bmp b/test/bmp/int_min_height.bmp
similarity index 60%
copy from test/bmp/mantis-2446.bmp
copy to test/bmp/int_min_height.bmp
index d1e8886..792bbb7 100644
Binary files a/test/bmp/mantis-2446.bmp and b/test/bmp/int_min_height.bmp differ
--
NetSurf BMP Decoder
_______________________________________________
netsurf-commits mailing list
[email protected]
http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/netsurf-commits-netsurf-browser.org
