From 9c4a88f019b9ff63c4c767e97b31002369b899f8 Mon Sep 17 00:00:00 2001 From: giraffedata Date: Tue, 9 Nov 2010 02:48:22 +0000 Subject: Fix crash on large invalid value of ColorsUsed in BMP header git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@1363 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- converter/other/bmptopnm.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'converter/other/bmptopnm.c') diff --git a/converter/other/bmptopnm.c b/converter/other/bmptopnm.c index bf16056b..75d73428 100644 --- a/converter/other/bmptopnm.c +++ b/converter/other/bmptopnm.c @@ -95,8 +95,11 @@ struct bmpInfoHeader { described by the "mask" values in the header, rather than fixed formats. */ - int cmapsize; - /* Size in bytes of the colormap (palette) in the BMP file */ + unsigned int cmapsize; + /* Size in bytes of the colormap (palette) in the BMP file. + + Zero means there is no colormap. + */ unsigned int imageSize; /* Size in bytes of the image data. We only reference this when the image is compressed. */ @@ -390,7 +393,7 @@ readWindowsBasic40ByteInfoHeader(FILE * const ifP, GetLong(ifP); /* YpixelsPerMeter */ colorsused = GetLong(ifP); /* ColorsUsed */ /* See comments in bmp.h for info about the definition of the following - word and its relationship to the color map size (*pcmapsize). + word and its relationship to the color map size (headerP->cmapsize). */ colorsimportant = GetLong(ifP); /* ColorsImportant */ @@ -623,7 +626,7 @@ static void BMPreadcolormap(FILE * const ifP, int const class, xel ** const colormapP, - int const cmapsize, + unsigned int const cmapsize, unsigned int * const bytesReadP) { /*---------------------------------------------------------------------------- Read the color map from the present position in the input BMP file @@ -638,7 +641,7 @@ BMPreadcolormap(FILE * const ifP, 'class' is the class of BMP image - Windows or OS/2. -----------------------------------------------------------------------------*/ - int i; + unsigned int i; xel * colormap; unsigned int bytesRead; @@ -1178,7 +1181,7 @@ reportHeader(struct bmpInfoHeader const header, header.compression == COMP_JPEG ? "JPEG (not supported)" : header.compression == COMP_PNG ? "PNG (not supported)" : "???"); - pm_message(" Colors in color map: %d", header.cmapsize); + pm_message(" Colors in color map: %u", header.cmapsize); } -- cgit 1.4.1