Check for the BMP header magic numbers before decoding it. (#505085)

2008-03-11  Claudio Saavedra  <csaavedra@alumnos.utalca.cl>

        * io-bmp.c: (DecodeHeader): Check for the BMP header magic numbers
        before decoding it.  (#505085)

svn path=/trunk/; revision=19756

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 3c28e212aac03f567aca3875444aa6c6197d0c29..3c507d472cd4f559ddaea60c8f3be238d05a8bbf 100644 (file)
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+2008-03-11  Claudio Saavedra  <csaavedra@alumnos.utalca.cl>
+
+        * io-bmp.c: (DecodeHeader): Check for the BMP header magic numbers
+        before decoding it.  (#505085)
+
 2008-02-16  Matthias Clasen  <mclasen@redhat.com>
 
        * === Released 2.13.0 ===

diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index d0347c963a42465c2f01a071107dbd7d39a837af..099a16d96a0c78708228a609af22226b73ac9ded 100644 (file)
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -258,6 +258,17 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 {
        gint clrUsed;
 
+       /* First check for the two first bytes content. A sane
+          BMP file must start with bytes 0x42 0x4D.  */
+       if (*BFH != 0x42 || *(BFH + 1) != 0x4D) {
+               g_set_error (error,
+                            GDK_PIXBUF_ERROR,
+                            GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                            _("BMP image has bogus header data"));
+               State->read_state = READ_STATE_ERROR;
+               return FALSE;
+       }
+
         /* FIXME this is totally unrobust against bogus image data. */
        if (State->BufferSize < lsb_32 (&BIH[0]) + 14) {
                State->BufferSize = lsb_32 (&BIH[0]) + 14;