From 9d21a4b86283aa5618f34988e50b5f6ef67406f1 Mon Sep 17 00:00:00 2001
From: Vincent Sanders <vince@kyllikki.org>
Date: Mon, 22 Aug 2016 21:02:53 +0100
Subject: cope with bmp headers close to UINT32_MAX

---
 src/libnsbmp.c                    |  26 ++++++++++++++++++--------
 test/bmp/bad_info_header_size.bmp | Bin 0 -> 1672 bytes
 test/bmp/int_min_height.bmp       | Bin 0 -> 1668 bytes
 3 files changed, 18 insertions(+), 8 deletions(-)
 create mode 100644 test/bmp/bad_info_header_size.bmp
 create mode 100644 test/bmp/int_min_height.bmp

diff --git a/src/libnsbmp.c b/src/libnsbmp.c
index dc18a50..6483974 100644
--- a/src/libnsbmp.c
+++ b/src/libnsbmp.c
@@ -37,11 +37,14 @@
 /* squashes unused variable compiler warnings */
 #define UNUSED(x) ((x)=(x))
 
-/* BMP flags */
+/* BMP entry sizes */
 #define BMP_FILE_HEADER_SIZE 14
 #define ICO_FILE_HEADER_SIZE 6
 #define ICO_DIR_ENTRY_SIZE 16
 
+/* the bitmap information header types (encoded as lengths) */
+#define BITMAPCOREHEADER 12
+
 #ifdef WE_NEED_INT8_READING_NOW
 static inline int8_t read_int8(uint8_t *data, unsigned int o) {
         return (int8_t) data[o];
@@ -81,15 +84,22 @@ static bmp_result bmp_info_header_parse(bmp_image *bmp, uint8_t *data)
         uint8_t palette_size;
         unsigned int flags = 0;
 
-        /* a variety of different bitmap headers can follow, depending
-         * on the BMP variant. A full description of the various headers
-         * can be found at
-         * http://msdn.microsoft.com/en-us/library/ms532301(VS.85).aspx
-         */
+        /* must be at least enough data for a core header */
+        if (bmp->buffer_size < (BMP_FILE_HEADER_SIZE + BITMAPCOREHEADER)) {
+                return BMP_INSUFFICIENT_DATA;
+        }
+
         header_size = read_uint32(data, 0);
-        if (bmp->buffer_size < (14 + header_size))
+
+        /* ensure there is enough data for the declared header size*/
+        if ((bmp->buffer_size - BMP_FILE_HEADER_SIZE) < header_size) {
                 return BMP_INSUFFICIENT_DATA;
-        if (header_size == 12) {
+        }
+
+        /* a variety of different bitmap headers can follow, depending
+         * on the BMP variant. The header length field determines the type.
+         */
+        if (header_size == BITMAPCOREHEADER) {
                 /* the following header is for os/2 and windows 2.x and consists of:
                  *
                  *	+0	UINT32	size of this header (in bytes)
diff --git a/test/bmp/bad_info_header_size.bmp b/test/bmp/bad_info_header_size.bmp
new file mode 100644
index 0000000..01732c8
Binary files /dev/null and b/test/bmp/bad_info_header_size.bmp differ
diff --git a/test/bmp/int_min_height.bmp b/test/bmp/int_min_height.bmp
new file mode 100644
index 0000000..792bbb7
Binary files /dev/null and b/test/bmp/int_min_height.bmp differ
-- 
cgit v1.2.3