From fcde8479cca084c59be1bfd72a4dc4b72bbd66f8 Mon Sep 17 00:00:00 2001 From: Manish Singh Date: Mon, 28 Mar 2005 04:01:25 +0000 Subject: reject 0-sized buffers as corrupt header data. Fixes bug #171707. Sun Mar 27 19:59:52 2005 Manish Singh * io-bmp.c (grow_buffer): reject 0-sized buffers as corrupt header data. Fixes bug #171707. --- gdk-pixbuf/ChangeLog | 5 +++++ gdk-pixbuf/io-bmp.c | 15 ++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) (limited to 'gdk-pixbuf') diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog index 9830f95f9b..dea1fc5e83 100644 --- a/gdk-pixbuf/ChangeLog +++ b/gdk-pixbuf/ChangeLog @@ -1,3 +1,8 @@ +Sun Mar 27 19:59:52 2005 Manish Singh + + * io-bmp.c (grow_buffer): reject 0-sized buffers as corrupt header + data. Fixes bug #171707. + 2005-03-25 Matthias Clasen * gdk-pixbuf-data.c (gdk_pixbuf_new_from_data): Use canonical diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c index 82882048dc..5b70ea047d 100644 --- a/gdk-pixbuf/io-bmp.c +++ b/gdk-pixbuf/io-bmp.c @@ -219,7 +219,19 @@ lsb_16 (guchar *src) static gboolean grow_buffer (struct bmp_progressive_state *State, GError **error) { - guchar *tmp = g_try_realloc (State->buff, State->BufferSize); + guchar *tmp; + + if (State->BufferSize == 0) { + g_set_error (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("BMP image has bogus header data")); + State->read_state = READ_STATE_ERROR; + return FALSE; + } + + tmp = g_try_realloc (State->buff, State->BufferSize); + if (!tmp) { g_set_error (error, GDK_PIXBUF_ERROR, @@ -228,6 +240,7 @@ static gboolean grow_buffer (struct bmp_progressive_state *State, State->read_state = READ_STATE_ERROR; return FALSE; } + State->buff = tmp; return TRUE; } -- cgit v1.2.1