Fix infinite loop that can occur for bad image data (#150601, Chris Evans,

Fri Aug 20 11:59:10 2004  Owen Taylor  <otaylor@redhat.com>

        * io-bmp.c: Fix infinite loop that can occur for bad
        image data (#150601, Chris Evans, Manish Singh)

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 9bf55a29d85b08a9023845dd0673b317c03a0ad0..074838f5a1ca3cbc3b277f02f20f9339ecebe8c1 100644 (file)
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+Fri Aug 20 11:59:10 2004  Owen Taylor  <otaylor@redhat.com>
+
+       * io-bmp.c: Fix infinite loop that can occur for bad
+       image data (#150601, Chris Evans, Manish Singh)
+
 2004-08-17  Matthias Clasen  <mclasen@redhat.com>
 
        * abicheck.sh: No need for INCLUDE_INTERNAL_SYMBOLS any more.

diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 82ddba1301a6491fb1381a49a30553b1101a8b86..015eca8dac994d5d2e6882d28d144de0220b9139 100644 (file)
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -876,8 +876,18 @@ DoCompressed(struct bmp_progressive_state *context, GError **error)
        guchar c;
        gint idx;
 
-       if (context->compr.y >= context->Header.height)
+       /* context->compr.y might be past the last line because we are
+        * on padding past the end of a valid data, or we might have hit
+        * out-of-bounds data. Either way we just eat-and-ignore the
+        * rest of the file. Doing the check only here and not when
+        * we change y below is fine since BufferSize is always 2 here
+        * and the BMP file format always starts new data on 16-bit
+        * boundaries.
+        */
+       if (context->compr.y >= context->Header.height) {
+               context->BufferDone = 0;
                return TRUE;
+       }
 
        y = context->compr.y;