about summary refs log tree commit diff
diff options
context:
space:
mode:
authorgiraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>2017-06-07 15:23:52 +0000
committergiraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8>2017-06-07 15:23:52 +0000
commit0af8fb2809652d149173e57042d170e1126cd84c (patch)
tree3281b1ae1bd8b00a10771bd8a44e7d0a85dc859c
parent86714524b4ff9ed0eec9807e046722a601c39cea (diff)
downloadnetpbm-mirror-0af8fb2809652d149173e57042d170e1126cd84c.tar.gz
netpbm-mirror-0af8fb2809652d149173e57042d170e1126cd84c.tar.xz
netpbm-mirror-0af8fb2809652d149173e57042d170e1126cd84c.zip
Fix crash with negative value for width in Windows BMP input
git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@2988 9d0c8265-081b-0410-96cb-a4ca84ce46f8
Diffstat
-rw-r--r--converter/other/bmptopnm.c17
-rw-r--r--doc/HISTORY4
2 files changed, 16 insertions, 5 deletions
diff --git a/converter/other/bmptopnm.c b/converter/other/bmptopnm.c
index 54868364..018b8326 100644
--- a/converter/other/bmptopnm.c
+++ b/converter/other/bmptopnm.c
@@ -384,10 +384,17 @@ readWindowsBasic40ByteInfoHeader(FILE *                 const ifP,
 -----------------------------------------------------------------------------*/
     int colorsused;        /* ColorsUsed value from header */
     unsigned short planesField, bitCountField;
+    int32_t colsField;
 
-    headerP->cols = GetLong(ifP);
-    if (headerP->cols == 0)
+    pm_readlittlelong2(ifP, &colsField);
+
+    if (colsField == 0)
         pm_error("Invalid BMP file: says width is zero");
+    else if (colsField < 0)
+        pm_error("Invalid BMP file: says width is negative (%d)", colsField);
+    else
+        headerP->cols = (unsigned int)colsField;
+
     {
         long const cy = GetLong(ifP);
 
@@ -1393,8 +1400,8 @@ isValidBmpBpp(unsigned int const cBitCount) {
 static void
 readBmp(FILE *               const ifP, 
         unsigned char ***    const bmpRasterP, 
-        int *                const colsP, 
-        int *                const rowsP,
+        unsigned int *       const colsP, 
+        unsigned int *       const rowsP,
         bool *               const grayPresentP, 
         bool *               const colorPresentP,
         unsigned int *       const cBitCountP, 
@@ -1559,7 +1566,7 @@ main(int argc, const char ** argv) {
            black and white and whether it has colors other than black, white,
            and gray.
         */
-    int cols, rows;
+    unsigned int cols, rows;
     unsigned char ** bmpRaster;
         /* The raster part of the BMP image, as a row x column array, with
            each element being a raw byte from the BMP raster.  Note that
diff --git a/doc/HISTORY b/doc/HISTORY
index 4f81efd3..294f68cc 100644
--- a/doc/HISTORY
+++ b/doc/HISTORY
@@ -27,6 +27,10 @@ not yet  BJH  Release 10.79.00
               the PATH instead of hardcoded as /usr/bin/perl (like all other
               Netpbm Perl programs).
 
+              bmptopnm: fix crash when input is a Windows BMP with negative
+              number for width.  Always broken.  (bmptopnm was new, as
+              bmptoppm, in original Netpbm, 1992).
+
               pamcomp: fix incorrect output with -mixtransparency.
               Always broken.  (-mixtransparency was new in Netpbm 10.56,
               September 2011).
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-15 10:04:35 +0000