LibGfx: Check bounds of color table accesses in BMPLoader

Previously, it was possible to crash the decoder by crafting a file with invalid color table index values.
Author: https://github.com/tcl3 Commit: https://github.com/SerenityOS/serenity/commit/e6c1429311 Pull-request: https://github.com/SerenityOS/serenity/pull/21289 Reviewed-by: https://github.com/LucasChollet ✅
2024-11-26 09:30:24 +00:00 · 2023-10-01 19:45:19 +01:00 · 2023-10-01 19:45:19 +01:00 · e6c1429311 · 2024-07-17 06:33:00 +09:00
commit e6c1429311
parent c14db6ab12
1 changed files with 10 additions and 2 deletions
--- a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp
@ -1292,8 +1292,10 @@ static ErrorOr<void> decode_bmp_pixel_data(BMPLoadingContext& context)
                u8 mask = 8;
                while (column < width && mask > 0) {
                    mask -= 1;
-                    auto color_idx = (byte >> mask) & 0x1;
+                    size_t color_idx = (byte >> mask) & 0x1;
                    if (context.is_included_in_ico) {
+                        if (color_idx >= context.color_table.size())
+                            return Error::from_string_literal("Invalid color table index");
                        auto color = context.color_table[color_idx];
                        context.bitmap->scanline(row)[column++] = color;
                    } else {
@ -1309,8 +1311,10 @@ static ErrorOr<void> decode_bmp_pixel_data(BMPLoadingContext& context)
                u8 mask = 8;
                while (column < width && mask > 0) {
                    mask -= 2;
-                    auto color_idx = (byte >> mask) & 0x3;
+                    size_t color_idx = (byte >> mask) & 0x3;
                    if (context.is_included_in_ico) {
+                        if (color_idx >= context.color_table.size())
+                            return Error::from_string_literal("Invalid color table index");
                        auto color = context.color_table[color_idx];
                        context.bitmap->scanline(row)[column++] = color;
                    } else {
@ -1329,6 +1333,8 @@ static ErrorOr<void> decode_bmp_pixel_data(BMPLoadingContext& context)
                u32 low_color_idx = byte & 0xf;

                if (context.is_included_in_ico) {
+                    if (high_color_idx >= context.color_table.size() || low_color_idx >= context.color_table.size())
+                        return Error::from_string_literal("Invalid color table index");
                    auto high_color = context.color_table[high_color_idx];
                    auto low_color = context.color_table[low_color_idx];
                    context.bitmap->scanline(row)[column++] = high_color;
@ -1348,6 +1354,8 @@ static ErrorOr<void> decode_bmp_pixel_data(BMPLoadingContext& context)

                u8 byte = streamer.read_u8();
                if (context.is_included_in_ico) {
+                    if (byte >= context.color_table.size())
+                        return Error::from_string_literal("Invalid color table index");
                    auto color = context.color_table[byte];
                    context.bitmap->scanline(row)[column++] = color;
                } else {