From 485b4f523f5cdfbc1d93203239710ba3c2f78ee1 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Thu, 18 Aug 2005 14:18:02 +0000
Subject: [PATCH] Check for overflow in one more place. (#313818, Tommi
 Komulainen)

2005-08-18  Matthias Clasen  <mclasen@redhat.com>

	* io-ico.c (DecodeHeader): Check for overflow in one more
	place.  (#313818, Tommi Komulainen)
---
 gdk-pixbuf/ChangeLog |  5 +++++
 gdk-pixbuf/io-ico.c  | 10 +++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index c69f58bd37..37ab659a62 100644
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+2005-08-18  Matthias Clasen  <mclasen@redhat.com>
+
+	* io-ico.c (DecodeHeader): Check for overflow in one more
+	place.  (#313818, Tommi Komulainen)
+
 2005-08-15  Matthias Clasen  <mclasen@redhat.com>
 
 	* io-jpeg.c (fatal_error_handler): Pay attention to the 
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 21f34b2a1b..812683daa6 100644
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -261,7 +261,15 @@ static void DecodeHeader(guchar *Data, gint Bytes,
 	   so we know how many bytes are in the "header" part. */
 	      
 	State->HeaderSize = State->DIBoffset + 40; /* 40 = sizeof(InfoHeader) */
-	
+
+	if (State->HeaderSize < 0) {
+		g_set_error (error,
+			     GDK_PIXBUF_ERROR,
+			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+			     _("Invalid header in icon"));
+		return;
+	}
+
  	if (State->HeaderSize>State->BytesInHeaderBuf) {
  		guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
 		if (!tmp) {
-- 
2.30.2