Fix a crash

svn path=/trunk/; revision=20367

2 files changed, 31 insertions, 1 deletions

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 148200e57f..d22b6c77d8 100644
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,10 @@
+2008-06-13  Matthias Clasen  <mclasen@redhat.com>
+
+	Bug 531960 – crash in eog-image.c:1154: (priv->image != NULL)
+
+	* io-ico.c: Check headers more thorougly.
+	Patch by Felix Riemann
+
 2008-06-03  Matthias Clasen  <mclasen@redhat.com>
 
 	* === Released 2.13.2 ===
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 27937c96ba..29dd95a1df 100644
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -199,10 +199,33 @@ static void DecodeHeader(guchar *Data, gint Bytes,
 	guchar *BIH; /* The DIB for the used icon */
  	guchar *Ptr;
  	gint I;
+	guint16 imgtype; /* 1 = icon, 2 = cursor */
  
  	/* Step 1: The ICO header */
 
-	State->cursor = ((Data[3] << 8) + Data[2] == 2) ? TRUE : FALSE;
+	/* First word should be 0 according to specs */
+	if (((Data[1] << 8) + Data[0]) != 0) {
+		g_set_error (error,
+			     GDK_PIXBUF_ERROR,
+			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+			     _("Invalid header in icon"));
+		return;
+
+	}
+
+	imgtype = (Data[3] << 8) + Data[2];
+
+	State->cursor = (imgtype == 2) ? TRUE : FALSE;
+
+	/* If it is not a cursor make sure it is actually an icon */
+	if (!State->cursor && imgtype != 1) {
+		g_set_error (error,
+			     GDK_PIXBUF_ERROR,
+			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+			     _("Invalid header in icon"));
+		return;
+	}
+
 
  	IconCount = (Data[5] << 8) + (Data[4]);