diff options
author | Campbell Barton <ideasman42@gmail.com> | 2020-11-11 08:14:09 +0300 |
---|---|---|
committer | Campbell Barton <ideasman42@gmail.com> | 2020-11-11 08:14:09 +0300 |
commit | 15ffda3bcd697e6f3a0cc13e141da865f36f3b53 (patch) | |
tree | f98d9fc831f18a9194818f5428466884654e802b /source/blender/imbuf/intern/bmp.c | |
parent | 2d60845786aeab099c61ffa42b7f72cccc68bff1 (diff) |
Fix T82602: checking image header reads past buffer bounds
Use the size argument to ensure checking the header doesn't read
past the buffer bounds when reading corrupt/truncated headers
from image files.
Diffstat (limited to 'source/blender/imbuf/intern/bmp.c')
-rw-r--r-- | source/blender/imbuf/intern/bmp.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/source/blender/imbuf/intern/bmp.c b/source/blender/imbuf/intern/bmp.c index 9358b67b3ed..58ce02f28ae 100644 --- a/source/blender/imbuf/intern/bmp.c +++ b/source/blender/imbuf/intern/bmp.c @@ -72,10 +72,14 @@ typedef struct BMPHEADER { CHECK_HEADER_FIELD(_mem, "CI") || CHECK_HEADER_FIELD(_mem, "CP") || \ CHECK_HEADER_FIELD(_mem, "IC") || CHECK_HEADER_FIELD(_mem, "PT")) -static bool checkbmp(const uchar *mem) +static bool checkbmp(const uchar *mem, const size_t size) { + if (size < BMP_FILEHEADER_SIZE) { + return false; + } + if (!CHECK_HEADER_FIELD_BMP(mem)) { - return 0; + return false; } bool ok = false; @@ -102,9 +106,9 @@ static bool checkbmp(const uchar *mem) return ok; } -bool imb_is_a_bmp(const uchar *buf, size_t UNUSED(size)) +bool imb_is_a_bmp(const uchar *buf, size_t size) { - return checkbmp(buf); + return checkbmp(buf, size); } ImBuf *imb_bmp_decode(const uchar *mem, size_t size, int flags, char colorspace[IM_MAX_SPACE]) @@ -120,7 +124,7 @@ ImBuf *imb_bmp_decode(const uchar *mem, size_t size, int flags, char colorspace[ (void)size; /* unused */ - if (checkbmp(mem) == 0) { + if (checkbmp(mem, size) == 0) { return NULL; } |