libgd/libgd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bmp: be a bit more restrictive in input depths

Browse Source 
For OS/2 BMP 1.0 files, the spec says only 1/4/8/24 bit images are
supported, so ignore other depths as invalid.

oss-fuzz pointed out:
gd_bmp.c:670:22: runtime error: shift exponent 12803 is too large for 32-bit type 'int'
This commit is contained in:
Mike Frysinger 2018-01-26 21:53:05 -05:00
parent f0a059be6c
commit 5618b9e82a
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/gd_bmp.c
View File

@ -667,11 +667,16 @@ static int bmp_read_os2_v1_info(gdIOCtxPtr infile, bmp_info_t *info)
/* OS2 v1 doesn't support topdown */ /* OS2 v1 doesn't support topdown */
info->topdown = 0; info->topdown = 0;
/* The spec says the depth can only be a few value values. */
if (info->depth != 1 && info->depth != 4 && info->depth != 8 &&
info->depth != 16 && info->depth != 24) {
return 1;
}
info->numcolors = 1 << info->depth; info->numcolors = 1 << info->depth;
info->type = BMP_PALETTE_3; info->type = BMP_PALETTE_3;
if (info->width <= 0 || info->height <= 0 || info->numplanes <= 0 || if (info->width <= 0 || info->height <= 0 || info->numplanes <= 0) {
info->depth <= 0 || info->numcolors < 0) {
return 1; return 1;
} }