LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-22 02:49:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

LibGfx: Don't blindly trust file-internal offset

Browse Source 
This also touches the return type of dib_size(), because kjdsfg
This commit is contained in:
Ben Wiederhake 2020-08-30 15:23:07 +02:00 committed by Andreas Kling
parent a098046309
commit e550df6467
Notes: sideshowbarker 2024-07-19 02:45:11 +09:00 
Author: https://github.com/BenWiederhake
Commit: https://github.com/SerenityOS/serenity/commit/e550df64670
Pull-request: https://github.com/SerenityOS/serenity/pull/3398
Reviewed-by: https://github.com/awesomekling
Reviewed-by: https://github.com/nico
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Libraries/LibGfx/BMPLoader.cpp
View File

@ -148,7 +148,7 @@ struct BMPLoadingContext {
Vector<u32> color_table;
RefPtr<Gfx::Bitmap> bitmap;
u8 dib_size() const
u32 dib_size() const
{
switch (dib_type) {
case DIBType::Core:
@ -473,11 +473,16 @@ static bool decode_bmp_header(BMPLoadingContext& context)
// Ingore reserved bytes
streamer.drop_bytes(4);
context.data_offset = streamer.read_u32();
context.state = BMPLoadingContext::State::HeaderDecoded;
IF_BMP_DEBUG(dbg() << "BMP data size: " << context.data_size);
IF_BMP_DEBUG(dbg() << "BMP data offset: " << context.data_offset);
if (context.data_offset >= context.data_size) {
IF_BMP_DEBUG(dbg() << "BMP data offset is beyond file end?!");
return false;
}
context.state = BMPLoadingContext::State::HeaderDecoded;
return true;
}
@ -735,6 +740,10 @@ static bool decode_bmp_dib(BMPLoadingContext& context)
if (context.data_size < bmp_header_size + dib_size)
return false;
if (context.data_offset < bmp_header_size + dib_size) {
IF_BMP_DEBUG(dbg() << "Shenanigans! BMP pixel data and header usually don't overlap.");
return false;
}
streamer.set_remaining(dib_size - 4);
@ -811,6 +820,7 @@ static bool decode_bmp_color_table(BMPLoadingContext& context)
auto bytes_per_color = context.dib_type == DIBType::Core ? 3 : 4;
u32 max_colors = 1 << context.dib.core.bpp;
ASSERT(context.data_offset >= bmp_header_size + context.dib_size());
auto size_of_color_table = context.data_offset - bmp_header_size - context.dib_size();
if (context.dib_type <= DIBType::OSV2) {