about summary refs log tree commit diff
diff options
context:
space:
mode:
authorgiraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>2010-11-09 02:48:22 +0000
committergiraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>2010-11-09 02:48:22 +0000
commit9c4a88f019b9ff63c4c767e97b31002369b899f8 (patch)
treecf3d203bd608a7b21b99854fea49e53dd9dbc7a4
parent89477b37e4b679da49c9c578fdbb7690211f06a8 (diff)
downloadnetpbm-mirror-9c4a88f019b9ff63c4c767e97b31002369b899f8.tar.gz
netpbm-mirror-9c4a88f019b9ff63c4c767e97b31002369b899f8.tar.xz
netpbm-mirror-9c4a88f019b9ff63c4c767e97b31002369b899f8.zip
Fix crash on large invalid value of ColorsUsed in BMP header
git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@1363 9d0c8265-081b-0410-96cb-a4ca84ce46f8
Diffstat
-rw-r--r--converter/bmp.h8
-rw-r--r--converter/other/bmptopnm.c15
-rw-r--r--doc/HISTORY3
3 files changed, 16 insertions, 10 deletions
diff --git a/converter/bmp.h b/converter/bmp.h
index b22be82f..8b2aa302 100644
--- a/converter/bmp.h
+++ b/converter/bmp.h
@@ -126,7 +126,7 @@ BMPleninfoheader(enum bmpClass const class) {
 static __inline__ unsigned int
 BMPlencolormap(enum bmpClass const class,
                unsigned int  const bitcount, 
-               int           const cmapsize) {
+               unsigned int  const cmapsize) {
 
     unsigned int lenrgb;
     unsigned int lencolormap;
@@ -141,7 +141,7 @@ BMPlencolormap(enum bmpClass const class,
         case C_OS2: lenrgb = 3; break;
         }
 
-        if (cmapsize < 0) 
+        if (!cmapsize) 
             lencolormap = (1 << bitcount) * lenrgb;
         else 
             lencolormap = cmapsize * lenrgb;
@@ -216,7 +216,7 @@ BMPoffbits(enum bmpClass const class,
 static __inline__ unsigned int
 BMPlenfileGen(enum bmpClass     const class,
               unsigned int      const bitcount, 
-              int               const cmapsize,
+              unsigned int      const cmapsize,
               unsigned int      const x,
               unsigned int      const y,
               unsigned int      const imageSize,
@@ -244,7 +244,7 @@ BMPlenfileGen(enum bmpClass     const class,
 static __inline__ unsigned int
 BMPlenfile(enum bmpClass const class,
            unsigned int  const bitcount, 
-           int           const cmapsize,
+           unsigned int  const cmapsize,
            unsigned int  const x,
            unsigned int  const y) {
 /*----------------------------------------------------------------------------
diff --git a/converter/other/bmptopnm.c b/converter/other/bmptopnm.c
index bf16056b..75d73428 100644
--- a/converter/other/bmptopnm.c
+++ b/converter/other/bmptopnm.c
@@ -95,8 +95,11 @@ struct bmpInfoHeader {
            described by the "mask" values in the header, rather than
            fixed formats.
         */
-    int cmapsize;
-        /* Size in bytes of the colormap (palette) in the BMP file */
+    unsigned int cmapsize;
+        /* Size in bytes of the colormap (palette) in the BMP file.
+
+           Zero means there is no colormap.
+        */
     unsigned int imageSize;
         /* Size in bytes of the image data.  We only reference this 
            when the image is compressed. */    
@@ -390,7 +393,7 @@ readWindowsBasic40ByteInfoHeader(FILE *                 const ifP,
     GetLong(ifP);   /* YpixelsPerMeter */
     colorsused = GetLong(ifP);   /* ColorsUsed */
     /* See comments in bmp.h for info about the definition of the following
-       word and its relationship to the color map size (*pcmapsize).
+       word and its relationship to the color map size (headerP->cmapsize).
     */
     colorsimportant = GetLong(ifP);  /* ColorsImportant */
 
@@ -623,7 +626,7 @@ static void
 BMPreadcolormap(FILE *         const ifP, 
                 int            const class, 
                 xel **         const colormapP, 
-                int            const cmapsize,
+                unsigned int   const cmapsize,
                 unsigned int * const bytesReadP) {
 /*----------------------------------------------------------------------------
    Read the color map from the present position in the input BMP file
@@ -638,7 +641,7 @@ BMPreadcolormap(FILE *         const ifP,
    'class' is the class of BMP image - Windows or OS/2.
 -----------------------------------------------------------------------------*/
 
-    int i;
+    unsigned int i;
 
     xel * colormap;
     unsigned int bytesRead;
@@ -1178,7 +1181,7 @@ reportHeader(struct bmpInfoHeader const header,
                header.compression == COMP_JPEG ? "JPEG (not supported)" :
                header.compression == COMP_PNG ? "PNG (not supported)" :
                "???");                
-    pm_message("  Colors in color map: %d", header.cmapsize);
+    pm_message("  Colors in color map: %u", header.cmapsize);
 }        
 
 
diff --git a/doc/HISTORY b/doc/HISTORY
index 3f26fb43..c24fd146 100644
--- a/doc/HISTORY
+++ b/doc/HISTORY
@@ -15,6 +15,9 @@ Not yet  BJH  Release 10.53.00
               sunicontopnm: Validate header.  Thanks Prophet of the Way
               <afu@wta.att.ne.jp>.
 
+              bmptopnm: don't crash on large invalid value of 'colorsused' in
+              the BMP header.
+
               pm_mallocarray2: fix wild pointers when image is too big to fit
               in a single chunk of malloc memory.  Affects many Netpbm
               programs.  Introduced in 10.51.00.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-08-28 19:13:23 +0000