Fix a crash

svn path=/trunk/; revision=20367

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 148200e57f7e37a7a2c4ca2ae0013cb6540dd4db..d22b6c77d82ad931dc16b250ba2ddd6ab3c4d58e 100644 (file)
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,10 @@
+2008-06-13  Matthias Clasen  <mclasen@redhat.com>
+
+       Bug 531960 – crash in eog-image.c:1154: (priv->image != NULL)
+
+       * io-ico.c: Check headers more thorougly.
+       Patch by Felix Riemann
+
 2008-06-03  Matthias Clasen  <mclasen@redhat.com>
 
        * === Released 2.13.2 ===

diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 27937c96baa1a9af6d1143d31ead671dfa799de6..29dd95a1df8dac9a40f6a160cf4647daa8291a0b 100644 (file)
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -199,10 +199,33 @@ static void DecodeHeader(guchar *Data, gint Bytes,
        guchar *BIH; /* The DIB for the used icon */
        guchar *Ptr;
        gint I;
+       guint16 imgtype; /* 1 = icon, 2 = cursor */
  
        /* Step 1: The ICO header */
 
-       State->cursor = ((Data[3] << 8) + Data[2] == 2) ? TRUE : FALSE;
+       /* First word should be 0 according to specs */
+       if (((Data[1] << 8) + Data[0]) != 0) {
+               g_set_error (error,
+                            GDK_PIXBUF_ERROR,
+                            GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                            _("Invalid header in icon"));
+               return;
+
+       }
+
+       imgtype = (Data[3] << 8) + Data[2];
+
+       State->cursor = (imgtype == 2) ? TRUE : FALSE;
+
+       /* If it is not a cursor make sure it is actually an icon */
+       if (!State->cursor && imgtype != 1) {
+               g_set_error (error,
+                            GDK_PIXBUF_ERROR,
+                            GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                            _("Invalid header in icon"));
+               return;
+       }
+
 
        IconCount = (Data[5] << 8) + (Data[4]);