From ed60d5f28cf047a7d3c82a6d8ee4fa97da931e45 Mon Sep 17 00:00:00 2001 From: Owen Taylor Date: Fri, 20 Aug 2004 17:59:24 +0000 Subject: [PATCH] Fix infinite loop that can occur for bad image data (#150601, Chris Evans, Fri Aug 20 11:59:10 2004 Owen Taylor * io-bmp.c: Fix infinite loop that can occur for bad image data (#150601, Chris Evans, Manish Singh) --- gdk-pixbuf/ChangeLog | 5 +++++ gdk-pixbuf/io-bmp.c | 12 +++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog index 9bf55a29d8..074838f5a1 100644 --- a/gdk-pixbuf/ChangeLog +++ b/gdk-pixbuf/ChangeLog @@ -1,3 +1,8 @@ +Fri Aug 20 11:59:10 2004 Owen Taylor + + * io-bmp.c: Fix infinite loop that can occur for bad + image data (#150601, Chris Evans, Manish Singh) + 2004-08-17 Matthias Clasen * abicheck.sh: No need for INCLUDE_INTERNAL_SYMBOLS any more. diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c index 82ddba1301..015eca8dac 100644 --- a/gdk-pixbuf/io-bmp.c +++ b/gdk-pixbuf/io-bmp.c @@ -876,8 +876,18 @@ DoCompressed(struct bmp_progressive_state *context, GError **error) guchar c; gint idx; - if (context->compr.y >= context->Header.height) + /* context->compr.y might be past the last line because we are + * on padding past the end of a valid data, or we might have hit + * out-of-bounds data. Either way we just eat-and-ignore the + * rest of the file. Doing the check only here and not when + * we change y below is fine since BufferSize is always 2 here + * and the BMP file format always starts new data on 16-bit + * boundaries. + */ + if (context->compr.y >= context->Header.height) { + context->BufferDone = 0; return TRUE; + } y = context->compr.y;