gdk-pixbuf/gdk-pixbuf-bgo769738-bmp-overflow.patch

From 779429ce34e439c01d257444fe9d6739e72a2024 Mon Sep 17 00:00:00 2001
From: Tobias Mueller <gnome-bugs@muelli.cryptobitch.de>
Date: Tue, 12 Jul 2016 15:20:00 +0000
Subject: [PATCH] bmp: Detect integer overflow of the line width

Instead of risking crashes or OOM, return an error if
we detect integer overflow.

The commit also includes a test image that triggers
this overflow when used with pixbuf-read.

https://bugzilla.gnome.org/show_bug.cgi?id=768738
---
 gdk-pixbuf/io-bmp.c                                |  21 ++++++++++++---------
 .../randomly-modified/bmp-line-overflow.bmp        | Bin 0 -> 74 bytes
 2 files changed, 12 insertions(+), 9 deletions(-)
 create mode 100644 tests/test-images/randomly-modified/bmp-line-overflow.bmp

diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 748ebae..08e3c76 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -254,6 +254,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
                              GError **error)
 {
 	gint clrUsed;
+	guint bytesPerPixel;
 
 	/* First check for the two first bytes content. A sane
 	   BMP file must start with bytes 0x42 0x4D.  */
@@ -380,15 +381,17 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 		return FALSE;
 	}
 
-	if (State->Type == 32)
-		State->LineWidth = State->Header.width * 4;
-	else if (State->Type == 24)
-		State->LineWidth = State->Header.width * 3;
-	else if (State->Type == 16)
-		State->LineWidth = State->Header.width * 2;
-	else if (State->Type == 8)
-		State->LineWidth = State->Header.width * 1;
-	else if (State->Type == 4)
+	if ((State->Type >= 8) && (State->Type <= 32) && (State->Type % 8 == 0)) {
+		bytesPerPixel = State->Type / 8;
+		State->LineWidth = State->Header.width * bytesPerPixel;
+		if (State->Header.width != State->LineWidth / bytesPerPixel) {
+			g_set_error_literal (error,
+					     GDK_PIXBUF_ERROR,
+					     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+					     _("BMP image width too large"));
+			return FALSE;
+		}
+	} else if (State->Type == 4)
 		State->LineWidth = (State->Header.width + 1) / 2;
 	else if (State->Type == 1) {
 		State->LineWidth = State->Header.width / 8;
Accepting request 424115 from home:zhangxiaofei:branches:GNOME:Factory - Add fixes for some crashes, taken from upstream git (bsc#988745 bsc#991450 CVE-2016-6352): gdk-pixbuf-bgo768688-bmp-overflow.patch gdk-pixbuf-bgo768484-ico-set-errors.patch gdk-pixbuf-bgo769738-bmp-overflow.patch gdk-pixbuf-bgo769170-ico-headers.patch OBS-URL: https://build.opensuse.org/request/show/424115 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=111 2016-09-01 09:33:46 +00:00			`From 779429ce34e439c01d257444fe9d6739e72a2024 Mon Sep 17 00:00:00 2001`
			`From: Tobias Mueller <gnome-bugs@muelli.cryptobitch.de>`
			`Date: Tue, 12 Jul 2016 15:20:00 +0000`
			`Subject: [PATCH] bmp: Detect integer overflow of the line width`

			`Instead of risking crashes or OOM, return an error if`
			`we detect integer overflow.`

			`The commit also includes a test image that triggers`
			`this overflow when used with pixbuf-read.`

			`https://bugzilla.gnome.org/show_bug.cgi?id=768738`
			`---`
			`gdk-pixbuf/io-bmp.c \| 21 ++++++++++++---------`
			`.../randomly-modified/bmp-line-overflow.bmp \| Bin 0 -> 74 bytes`
			`2 files changed, 12 insertions(+), 9 deletions(-)`
			`create mode 100644 tests/test-images/randomly-modified/bmp-line-overflow.bmp`

			`diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c`
			`index 748ebae..08e3c76 100644`
			`--- a/gdk-pixbuf/io-bmp.c`
			`+++ b/gdk-pixbuf/io-bmp.c`
			`@@ -254,6 +254,7 @@ static gboolean DecodeHeader(unsigned char BFH, unsigned char BIH,`
			`GError **error)`
			`{`
			`gint clrUsed;`
			`+ guint bytesPerPixel;`

			`/* First check for the two first bytes content. A sane`
			`BMP file must start with bytes 0x42 0x4D. */`
			`@@ -380,15 +381,17 @@ static gboolean DecodeHeader(unsigned char BFH, unsigned char BIH,`
			`return FALSE;`
			`}`

			`- if (State->Type == 32)`
			`- State->LineWidth = State->Header.width * 4;`
			`- else if (State->Type == 24)`
			`- State->LineWidth = State->Header.width * 3;`
			`- else if (State->Type == 16)`
			`- State->LineWidth = State->Header.width * 2;`
			`- else if (State->Type == 8)`
			`- State->LineWidth = State->Header.width * 1;`
			`- else if (State->Type == 4)`
			`+ if ((State->Type >= 8) && (State->Type <= 32) && (State->Type % 8 == 0)) {`
			`+ bytesPerPixel = State->Type / 8;`
			`+ State->LineWidth = State->Header.width * bytesPerPixel;`
			`+ if (State->Header.width != State->LineWidth / bytesPerPixel) {`
			`+ g_set_error_literal (error,`
			`+ GDK_PIXBUF_ERROR,`
			`+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,`
			`+ _("BMP image width too large"));`
			`+ return FALSE;`
			`+ }`
			`+ } else if (State->Type == 4)`
			`State->LineWidth = (State->Header.width + 1) / 2;`
			`else if (State->Type == 1) {`
			`State->LineWidth = State->Header.width / 8;`