summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2020-01-19 18:51:25 +0100
committerKim Woelders <kim@woelders.dk>2020-01-20 06:21:15 +0100
commitc95f938ff1effaf91729c050a0f1c8684da4dd63 (patch)
treea0d7511741b52eedca247992ced1a1de92412e63
parent106e2188eedf3bdf47db089cda733752b661522e (diff)
ICO loader: Do not crash on invalid files
If an ICO file contains icons with an excessively large amount of colors in its color map, an integer overflow can lead to 0 byte allocations of the color map. If such an icon is displayed later on, the color map access leads to out of boundary reads. Also verify that excessively large icons are not parsed at all to prevent out of boundary reads of raw pixel data during display. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r--src/modules/loaders/loader_ico.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/modules/loaders/loader_ico.c b/src/modules/loaders/loader_ico.c
index f985a36..51457a7 100644
--- a/src/modules/loaders/loader_ico.c
+++ b/src/modules/loaders/loader_ico.c
@@ -7,6 +7,7 @@
7 */ 7 */
8#include "loader_common.h" 8#include "loader_common.h"
9 9
10#include <limits.h>
10#include <string.h> 11#include <string.h>
11 12
12#define DEBUG 0 13#define DEBUG 0
@@ -168,6 +169,8 @@ ico_read_icon(ico_t * ico, int ino)
168 case 4: 169 case 4:
169 case 8: 170 case 8:
170 D("Allocating a %d slot colormap\n", ie->bih.colors); 171 D("Allocating a %d slot colormap\n", ie->bih.colors);
172 if (UINT_MAX / sizeof(DATA32) < ie->bih.colors)
173 goto bail;
171 size = ie->bih.colors * sizeof(DATA32); 174 size = ie->bih.colors * sizeof(DATA32);
172 ie->cmap = malloc(size); 175 ie->cmap = malloc(size);
173 nr = fread(ie->cmap, 1, size, ico->fp); 176 nr = fread(ie->cmap, 1, size, ico->fp);
@@ -182,6 +185,10 @@ ico_read_icon(ico_t * ico, int ino)
182 break; 185 break;
183 } 186 }
184 187
188 if (!IMAGE_DIMENSIONS_OK(ie->w, ie->h) || ie->bih.bpp == 0 ||
189 UINT_MAX / ie->bih.bpp < ie->w * ie->h)
190 goto bail;
191
185 size = ((ie->bih.bpp * ie->w + 31) / 32 * 4) * ie->h; 192 size = ((ie->bih.bpp * ie->w + 31) / 32 * 4) * ie->h;
186 ie->pxls = malloc(size); 193 ie->pxls = malloc(size);
187 nr = fread(ie->pxls, 1, size, ico->fp); 194 nr = fread(ie->pxls, 1, size, ico->fp);