| commit | e7663526f7a8ee2ba10dbe1e85758c4ea4b3b12e | |
| author | Cyril Hrubis <metan@ucw.cz> | |
| Tue, 8 Dec 2015 09:37:48 +0000 (8 10:37 +0100) | ||
| committer | Cyril Hrubis <metan@ucw.cz> | |
| Tue, 8 Dec 2015 09:47:48 +0000 (8 10:47 +0100) | ||
| tree | 282908e940ad7a52f887fe05f2a7b8340cb1b071 | treesnapshot (tar.gz zip) |
| parent | 266c9d02b03917a0bfd6bf7c5a2c94cdbaf43ea3 | commitdiff |
loaders: BMP: Add sanity check for palette size
The palette size is 32bit integer in BMP header which when set to
absurdly large number makes the process go out of memory when palette
is initialized.
Now we check that palette size is <= 1<<bpp and truncate it otherwise.
Special thanks to the american fuzzy lop (afl).
Signed-off-by: Cyril Hrubis <metan@ucw.cz>
The palette size is 32bit integer in BMP header which when set to
absurdly large number makes the process go out of memory when palette
is initialized.
Now we check that palette size is <= 1<<bpp and truncate it otherwise.
Special thanks to the american fuzzy lop (afl).
Signed-off-by: Cyril Hrubis <metan@ucw.cz>
| libs/loaders/GP_BMP.c | diffblobblamehistory | |
| libs/loaders/GP_BMP_RLE.h | diffblobblamehistory |