Bug 775242 – bmp: State->Header.height can INT_MIN which negated does not fit in signed int

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 775242 - bmp: State->Header.height can INT_MIN which negated does not fit in signed int


Summary:	bmp: State->Header.height can INT_MIN which negated does not fit in signed int


Status:	RESOLVED FIXED

Product:	gdk-pixbuf
Classification:	Platform
Component:	loaders
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gdk-pixbuf-maint
QA Contact:	gdk-pixbuf-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-11-28 15:18 UTC by Tobias Mueller
Modified:	2016-12-13 17:46 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
crashing file, password "crash", found by afl (1.50 KB, application/pgp-encrypted) 2016-11-28 15:18 UTC, Tobias Mueller		Details
patch (1.37 KB, patch) 2016-11-28 15:19 UTC, Tobias Mueller	none	Details \| Review
bmp: Error out when bottom-to-top BMP is too high (1.22 KB, patch) 2016-12-13 17:45 UTC, Bastien Nocera	committed	Details \| Review
tests: Add test for bug 775242 (2.64 KB, patch) 2016-12-13 17:45 UTC, Bastien Nocera	committed	Details \| Review

Description Tobias Mueller 2016-11-28 15:18:13 UTC

Created attachment 340913 [details]
crashing file, password "crash", found by afl

a pathological BMP file can cause the following error:

io-bmp.c:356:26: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

INT_MIN is -2147483648 and negating that does not fit in a signed int. Because I don't know what else to do, we error out.

Comment 1 Tobias Mueller 2016-11-28 15:19:35 UTC

Created attachment 340914 [details] [review]
patch

I don't know whether there is any more mild measure to take rather than to bail out. It gets rid of that special error, though.

That bmp file produces other runtime errors which should probably be looked into.

Comment 2 Bastien Nocera 2016-12-13 17:45:10 UTC

Created attachment 341901 [details] [review]
bmp: Error out when bottom-to-top BMP is too high

BMP files with BITMAPV4HEADER can have negative height when the image is
encoded botton-to-top, but when that negative height is INT_MIN, we
cannot represent it as a positive integer (|INT_MIN| = INT_MAX + 1).
Error out in this case.

Comment 3 Bastien Nocera 2016-12-13 17:45:16 UTC

Created attachment 341902 [details] [review]
tests: Add test for bug 775242

Comment 4 Bastien Nocera 2016-12-13 17:45:52 UTC

Attachment 341901 [details] pushed as a3d6e40 - bmp: Error out when bottom-to-top BMP is too high
Attachment 341902 [details] pushed as 08e388f - tests: Add test for bug 775242