summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiyoun Park <jijibe99@gmail.com>2012-12-05 09:58:56 +0000
committerJiyoun Park <jijibe99@gmail.com>2012-12-05 09:58:56 +0000
commitaa53580814e5315586cdd4a68ba9f2bf7bfa2d07 (patch)
treee3b0aee708cf0176a2524843701e96a6b96db993
parentedbf3d90c12bb5ce1d7932a9b5b82c8c352fd673 (diff)
if somebody make corrupted bmp file, it can cause crash
SVN revision: 80225
-rw-r--r--src/modules/evas/loaders/bmp/evas_image_load_bmp.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/modules/evas/loaders/bmp/evas_image_load_bmp.c b/src/modules/evas/loaders/bmp/evas_image_load_bmp.c
index 173561b037..225f04b728 100644
--- a/src/modules/evas/loaders/bmp/evas_image_load_bmp.c
+++ b/src/modules/evas/loaders/bmp/evas_image_load_bmp.c
@@ -135,6 +135,7 @@ evas_image_load_file_head_bmp(Image_Entry *ie, const char *file, const char *key
135 if (!read_ushort(map, fsize, &position, &res2)) goto close_file; 135 if (!read_ushort(map, fsize, &position, &res2)) goto close_file;
136 if (!read_uint(map, fsize, &position, &offset)) goto close_file; 136 if (!read_uint(map, fsize, &position, &offset)) goto close_file;
137 if (!read_uint(map, fsize, &position, &head_size)) goto close_file; 137 if (!read_uint(map, fsize, &position, &head_size)) goto close_file;
138 if (offset > fsize) goto close_file;
138 if (head_size == 12) // OS/2 V1 + Windows 3.0 139 if (head_size == 12) // OS/2 V1 + Windows 3.0
139 { 140 {
140 short tmp; 141 short tmp;
@@ -424,6 +425,7 @@ evas_image_load_file_data_bmp(Image_Entry *ie, const char *file, const char *key
424 if (!read_ushort(map, fsize, &position, &res2)) goto close_file; 425 if (!read_ushort(map, fsize, &position, &res2)) goto close_file;
425 if (!read_uint(map, fsize, &position, &offset)) goto close_file; 426 if (!read_uint(map, fsize, &position, &offset)) goto close_file;
426 if (!read_uint(map, fsize, &position, &head_size)) goto close_file; 427 if (!read_uint(map, fsize, &position, &head_size)) goto close_file;
428 if (offset > fsize) goto close_file;
427 image_size = fsize - offset; 429 image_size = fsize - offset;
428 if (image_size < 1) goto close_file; 430 if (image_size < 1) goto close_file;
429 431