gdk-pixbuf/gdk-pixbuf-bgo768688-bmp-overflow.patch

From b69009f2a2de151103ed87e9594615ba0fe72daf Mon Sep 17 00:00:00 2001
From: Tobias Mueller <gnome-bugs@muelli.cryptobitch.de>
Date: Mon, 11 Jul 2016 17:01:00 +0000
Subject: [PATCH] bmp: Fix an integer overflow in DecodeColormap

Return an error if n_colors * samples overflows.

This commit also adds a reproducer that will cause
pixbuf-randomly-modified to crash in the absence of
the patch.

https://bugzilla.gnome.org/show_bug.cgi?id=768688
---
 gdk-pixbuf/io-bmp.c                                    |  15 ++++++++++++---
 tests/test-images/randomly-modified/decodecolormap.bmp | Bin 0 -> 118 bytes
 2 files changed, 12 insertions(+), 3 deletions(-)
 create mode 100644 tests/test-images/randomly-modified/decodecolormap.bmp

diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index f412997..748ebae 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -518,12 +518,16 @@ static gboolean DecodeColormap (guchar *buff,
 {
 	gint i;
 	gint samples;
+	guint newbuffersize;
 
 	g_assert (State->read_state == READ_STATE_PALETTE);
 
 	samples = (State->Header.size == 12 ? 3 : 4);
-	if (State->BufferSize < State->Header.n_colors * samples) {
-		State->BufferSize = State->Header.n_colors * samples;
+	newbuffersize = State->Header.n_colors * samples;
+	if (newbuffersize / samples != State->Header.n_colors) /* Integer overflow check */
+		return FALSE;
+	if (State->BufferSize < newbuffersize) {
+		State->BufferSize = newbuffersize;
 		if (!grow_buffer (State, error))
 			return FALSE;
 		return TRUE;
@@ -1247,8 +1251,13 @@ gdk_pixbuf__bmp_image_load_increment(gpointer data,
 			break;
 
 		case READ_STATE_PALETTE:
-			if (!DecodeColormap (context->buff, context, error))
+			if (!DecodeColormap (context->buff, context, error)) {
+				g_set_error (error,
+					     GDK_PIXBUF_ERROR,
+					     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+					     _("Error while decoding colormap"));
 				return FALSE;
+			}
 			break;
 
 		case READ_STATE_BITMASKS: