Check for the BMP header magic numbers before decoding it. (#505085)

2008-03-11  Claudio Saavedra  <csaavedra@alumnos.utalca.cl>

        * io-bmp.c: (DecodeHeader): Check for the BMP header magic numbers
        before decoding it.  (#505085)


svn path=/trunk/; revision=19756

2 files changed, 16 insertions, 0 deletions

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 3c28e212aa..3c507d472c 100644
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+2008-03-11  Claudio Saavedra  <csaavedra@alumnos.utalca.cl>
+
+        * io-bmp.c: (DecodeHeader): Check for the BMP header magic numbers
+        before decoding it.  (#505085)
+
 2008-02-16  Matthias Clasen  <mclasen@redhat.com>
 
 	* === Released 2.13.0 ===
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index d0347c963a..099a16d96a 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -258,6 +258,17 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 {
 	gint clrUsed;
 
+	/* First check for the two first bytes content. A sane
+	   BMP file must start with bytes 0x42 0x4D.  */
+	if (*BFH != 0x42 || *(BFH + 1) != 0x4D) {
+		g_set_error (error,
+			     GDK_PIXBUF_ERROR,
+			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+			     _("BMP image has bogus header data"));
+		State->read_state = READ_STATE_ERROR;
+		return FALSE;
+	}
+
         /* FIXME this is totally unrobust against bogus image data. */
 	if (State->BufferSize < lsb_32 (&BIH[0]) + 14) {
 		State->BufferSize = lsb_32 (&BIH[0]) + 14;