beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-26 09:30:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

LibGfx: Add some validation to BMPLoader

Browse source 
These changes fixed various asserts when I ran the fuzzer locally a
while ago.
This commit is contained in:
Nico Weber 2020-12-01 10:11:18 -05:00 committed by Andreas Kling
parent 1f86d88dc4
commit eef30bb05e
Notes: sideshowbarker 2024-07-19 01:07:41 +09:00 
Author: https://github.com/nico
Commit: https://github.com/SerenityOS/serenity/commit/eef30bb05e0
Pull-request: https://github.com/SerenityOS/serenity/pull/4292
1 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
Libraries/LibGfx/BMPLoader.cpp
View file

@ -798,6 +798,22 @@ static bool decode_bmp_dib(BMPLoadingContext& context)
error = true; error = true;
} }
switch (context.dib.info.compression) {
case Compression::RGB:
case Compression::RLE8:
case Compression::RLE4:
case Compression::BITFIELDS:
case Compression::RLE24:
case Compression::PNG:
case Compression::ALPHABITFIELDS:
case Compression::CMYK:
case Compression::CMYKRLE8:
case Compression::CMYKRLE4:
break;
default:
error = true;
}
if (!error && !set_dib_bitmasks(context, streamer)) if (!error && !set_dib_bitmasks(context, streamer))
error = true; error = true;
@ -925,7 +941,7 @@ static bool uncompress_bmp_rle_data(BMPLoadingContext& context, ByteBuffer& buff
row++; row++;
} }
auto index = get_buffer_index(); auto index = get_buffer_index();
if (index >= buffer.size()) { if (index + 3 >= buffer.size()) {
IF_BMP_DEBUG(dbg() << "BMP has badly-formatted RLE data"); IF_BMP_DEBUG(dbg() << "BMP has badly-formatted RLE data");
return false; return false;
} }
@ -1031,7 +1047,11 @@ static bool uncompress_bmp_rle_data(BMPLoadingContext& context, ByteBuffer& buff
if (byte == 1) if (byte == 1)
return true; return true;
if (byte == 2) { if (byte == 2) {
if (!streamer.has_u8())
return false;
u8 offset_x = streamer.read_u8(); u8 offset_x = streamer.read_u8();
if (!streamer.has_u8())
return false;
u8 offset_y = streamer.read_u8(); u8 offset_y = streamer.read_u8();
column += offset_x; column += offset_x;
if (column >= total_columns) { if (column >= total_columns) {
@ -1062,10 +1082,14 @@ static bool uncompress_bmp_rle_data(BMPLoadingContext& context, ByteBuffer& buff
// Optionally consume a padding byte // Optionally consume a padding byte
if (compression != Compression::RLE4) { if (compression != Compression::RLE4) {
if (pixel_count % 2) { if (pixel_count % 2) {
if (!streamer.has_u8())
return false;
byte = streamer.read_u8(); byte = streamer.read_u8();
} }
} else { } else {
if (((pixel_count + 1) / 2) % 2) { if (((pixel_count + 1) / 2) % 2) {
if (!streamer.has_u8())
return false;
byte = streamer.read_u8(); byte = streamer.read_u8();
} }
} }