blob: 3cd9bbe75772b04e7a32051f41a47dd82860ec47 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
--- a/gdk-pixbuf/io-ico.c
+++ a/gdk-pixbuf/io-ico.c
@@ -330,10 +330,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
return;
}
- /* We know how many bytes are in the "header" part. */
- State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
-
- if (State->HeaderSize < 0) {
+ /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
+ if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
g_set_error (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -341,6 +339,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
return;
}
+ /* We know how many bytes are in the "header" part. */
+ State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+
if (State->HeaderSize>State->BytesInHeaderBuf) {
guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
if (!tmp) {
|
