#! /bin/sh /usr/share/dpatch/dpatch-run ## 90-bmp-loader-overflows.dpatch by Kees Cook <kees@ubuntu.com> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad xmms-1.2.10+cvs20050809~/xmms/bmp.c xmms-1.2.10+cvs20050809/xmms/bmp.c --- xmms-1.2.10+cvs20050809~/xmms/bmp.c 2002-02-11 15:15:56.000000000 -0800 +++ xmms-1.2.10+cvs20050809/xmms/bmp.c 2007-03-26 19:16:42.938885599 -0700 @@ -19,6 +19,12 @@ */ #include "xmms.h" +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif + typedef struct tagRGBQUAD { guchar rgbBlue; @@ -184,7 +190,7 @@ } else if (bitcount != 24 && bitcount != 16 && bitcount != 32) { - gint ncols, i; + guint32 ncols, i; ncols = offset - headSize - 14; if (headSize == 12) @@ -200,10 +206,18 @@ } } fseek(file, offset, SEEK_SET); + /* verify buffer size */ + if (!h || !w || + w > (((UINT32_MAX - 3) / 3) / h) || + h > (((UINT32_MAX - 3) / 3) / w)) { + g_warning("read_bmp(): width(%u)*height(%u) too large", w, h); + fclose(file); + return NULL; + } + data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */ buffer = g_malloc(imgsize); fread(buffer, imgsize, 1, file); fclose(file); - data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */ if (bitcount == 1) read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);