After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 313818 - io-ico.c: check header size overflow
io-ico.c: check header size overflow
Status: RESOLVED FIXED
Product: gdk-pixbuf
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2005-08-18 12:07 UTC by Tommi Komulainen
Modified: 2010-07-10 04:09 UTC
See Also:
GNOME target: ---
GNOME version: 2.9/2.10

Attachments
check for header size overflow (636 bytes, patch)
2005-08-18 12:11 UTC, Tommi Komulainen 		none Details | Review

Description Tommi Komulainen 2005-08-18 12:07:25 UTC 
io-ico.c (DecodeHeader):

260     if (State->DIBoffset < 0) {
...
271     State->HeaderSize = State->DIBoffset + 40; /* 40 = sizeof(InfoHeader) */

State->DIBoffset can be positive, like G_MAXINT-1, which passes the first check,
but will cause State->HeaderSize overflow which is not checked and will later
cause crash.
Comment 1 Tommi Komulainen 2005-08-18 12:11:44 UTC 
Created attachment 50903 [details] [review]
check for header size overflow

At first I was attempting to use

if (State->DIBoffset < 0 || State->DIBoffset + 40 < 0) {

but for reasons I can't quite understand it fails to catch the overflow (with
i386 gcc 3.2.3 and 3.3.4.)  But if you use separate if to check only for
'State->DIBoffset + 40 < 0' then it seems to work.  Given the confusion I think
check after assignment is more reliable.
Comment 2 Matthias Clasen 2005-08-18 14:20:09 UTC 
2005-08-18  Matthias Clasen  <mclasen@redhat.com>

        * io-ico.c (DecodeHeader): Check for overflow in one more
        place.  (#313818, Tommi Komulainen)