Fix loading bitmaps with malformed biClrUsed field
Stop throwing std::bad_alloc when BMP has large/negative biClrUsed by checking that biClrUsed has a reasonable value before attempting to allocate however much memory it indicates. Add unit tests showing the loading such invalid bitmaps now correctly returns an error rather than throwing an exception. Closes https://github.com/wxWidgets/wxWidgets/pull/2583 Closes #19295.
This commit is contained in:
David Costanzo
Vadim Zeitlin
parent
58d2243f7b
commit
20208cc81f
@ -518,8 +518,24 @@ bool wxBMPHandler::DoLoadDib(wxImage * image, int width, int height,
|
||||
// allocate space for palette if needed:
|
||||
BMPPalette *cmap;
|
||||
|
||||
if ( bpp < 16 )
|
||||
if ( bpp <= 8 )
|
||||
{
|
||||
// The bit depth is 8bpp, 4bpp, or 1bpp, which means that ncolors is
|
||||
// the size of a palette. The largest useful palette is 256 since
|
||||
// anything larger couldn't be referenced by a pixel. Since ncolors
|
||||
// comes from the file, which could be corrupt or malicious, reject
|
||||
// any bitmaps that have a dubious palette size.
|
||||
if ( ncolors < 0 || 256 < ncolors )
|
||||
{
|
||||
if ( verbose )
|
||||
{
|
||||
wxLogError(
|
||||
_("BMP: header has biClrUsed=%d when biBitCount=%d."),
|
||||
ncolors, bpp);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
cmap = new BMPPalette[ncolors];
|
||||
if ( !cmap )
|
||||
{
|
||||
|
||||
@ -565,7 +565,7 @@ data:
|
||||
|
||||
data-images:
|
||||
@mkdir -p image
|
||||
@for f in horse_grey.bmp horse_grey_flipped.bmp horse_rle4.bmp horse_rle4_flipped.bmp horse_rle8.bmp horse_rle8_flipped.bmp horse_bicubic_50x50.png horse_bicubic_100x100.png horse_bicubic_150x150.png horse_bicubic_300x300.png horse_bilinear_50x50.png horse_bilinear_100x100.png horse_bilinear_150x150.png horse_bilinear_300x300.png horse_box_average_50x50.png horse_box_average_100x100.png horse_box_average_150x150.png horse_box_average_300x300.png cross_bicubic_256x256.png cross_bilinear_256x256.png cross_box_average_256x256.png cross_nearest_neighb_256x256.png paste_input_background.png paste_input_black.png paste_input_overlay_transparent_border_opaque_square.png paste_input_overlay_transparent_border_semitransparent_circle.png paste_input_overlay_transparent_border_semitransparent_square.png paste_result_background_plus_circle_plus_square.png paste_result_background_plus_overlay_transparent_border_opaque_square.png paste_result_background_plus_overlay_transparent_border_semitransparent_square.png paste_result_no_background_square_over_circle.png wx.png wx.ico toucan.png toucan_hue_0.538.png toucan_sat_-0.41.png toucan_bright_-0.259.png toucan_hsv_0.538_-0.41_-0.259.png toucan_light_46.png toucan_dis_240.png toucan_grey.png toucan_mono_255_255_255.png; do \
|
||||
@for f in 8bpp-colorsused-large.bmp 8bpp-colorsused-negative.bmp horse_grey.bmp horse_grey_flipped.bmp horse_rle4.bmp horse_rle4_flipped.bmp horse_rle8.bmp horse_rle8_flipped.bmp horse_bicubic_50x50.png horse_bicubic_100x100.png horse_bicubic_150x150.png horse_bicubic_300x300.png horse_bilinear_50x50.png horse_bilinear_100x100.png horse_bilinear_150x150.png horse_bilinear_300x300.png horse_box_average_50x50.png horse_box_average_100x100.png horse_box_average_150x150.png horse_box_average_300x300.png cross_bicubic_256x256.png cross_bilinear_256x256.png cross_box_average_256x256.png cross_nearest_neighb_256x256.png paste_input_background.png paste_input_black.png paste_input_overlay_transparent_border_opaque_square.png paste_input_overlay_transparent_border_semitransparent_circle.png paste_input_overlay_transparent_border_semitransparent_square.png paste_result_background_plus_circle_plus_square.png paste_result_background_plus_overlay_transparent_border_opaque_square.png paste_result_background_plus_overlay_transparent_border_semitransparent_square.png paste_result_no_background_square_over_circle.png wx.png wx.ico toucan.png toucan_hue_0.538.png toucan_sat_-0.41.png toucan_bright_-0.259.png toucan_hsv_0.538_-0.41_-0.259.png toucan_light_46.png toucan_dis_240.png toucan_grey.png toucan_mono_255_255_255.png; do \
|
||||
if test ! -f image/$$f -a ! -d image/$$f ; \
|
||||
then x=yep ; \
|
||||
else x=`find $(srcdir)/image/$$f -newer image/$$f -print` ; \
|
||||
|
||||
BIN
tests/image/8bpp-colorsused-large.bmp
Normal file
BIN
tests/image/8bpp-colorsused-large.bmp
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 75 KiB |
BIN
tests/image/8bpp-colorsused-negative.bmp
Normal file
BIN
tests/image/8bpp-colorsused-negative.bmp
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 75 KiB |
@ -98,6 +98,7 @@ private:
|
||||
CPPUNIT_TEST( BMPFlippingAndRLECompression );
|
||||
CPPUNIT_TEST( ScaleCompare );
|
||||
CPPUNIT_TEST( CreateBitmapFromCursor );
|
||||
CPPUNIT_TEST( MalformedBMP );
|
||||
CPPUNIT_TEST_SUITE_END();
|
||||
|
||||
void LoadFromSocketStream();
|
||||
@ -119,6 +120,7 @@ private:
|
||||
void BMPFlippingAndRLECompression();
|
||||
void ScaleCompare();
|
||||
void CreateBitmapFromCursor();
|
||||
void MalformedBMP();
|
||||
|
||||
wxDECLARE_NO_COPY_CLASS(ImageTestCase);
|
||||
};
|
||||
@ -1520,6 +1522,25 @@ void ImageTestCase::CreateBitmapFromCursor()
|
||||
#endif
|
||||
}
|
||||
|
||||
// This function assumes that the file is malformed in a way that it cannot
|
||||
// be loaded. If the file is malformed such that wxImage can salvage part
|
||||
// of it, then CompareBMPImage should be called instead.
|
||||
static void LoadMalformedBMP(const wxString& file)
|
||||
{
|
||||
wxImage image(file);
|
||||
WX_ASSERT_MESSAGE
|
||||
(
|
||||
("wxImage::isOk() returned true after loading \"%s\"", file),
|
||||
!image.IsOk()
|
||||
);
|
||||
}
|
||||
|
||||
void ImageTestCase::MalformedBMP()
|
||||
{
|
||||
LoadMalformedBMP("image/8bpp-colorsused-negative.bmp");
|
||||
LoadMalformedBMP("image/8bpp-colorsused-large.bmp");
|
||||
}
|
||||
|
||||
#endif //wxUSE_IMAGE
|
||||
|
||||
TEST_CASE("wxImage::Paste", "[image][paste]")
|
||||
|
||||
@ -555,7 +555,7 @@ data:
|
||||
|
||||
data-images:
|
||||
if not exist image mkdir image
|
||||
for %%f in (horse_grey.bmp horse_grey_flipped.bmp horse_rle4.bmp horse_rle4_flipped.bmp horse_rle8.bmp horse_rle8_flipped.bmp horse_bicubic_50x50.png horse_bicubic_100x100.png horse_bicubic_150x150.png horse_bicubic_300x300.png horse_bilinear_50x50.png horse_bilinear_100x100.png horse_bilinear_150x150.png horse_bilinear_300x300.png horse_box_average_50x50.png horse_box_average_100x100.png horse_box_average_150x150.png horse_box_average_300x300.png cross_bicubic_256x256.png cross_bilinear_256x256.png cross_box_average_256x256.png cross_nearest_neighb_256x256.png paste_input_background.png paste_input_black.png paste_input_overlay_transparent_border_opaque_square.png paste_input_overlay_transparent_border_semitransparent_circle.png paste_input_overlay_transparent_border_semitransparent_square.png paste_result_background_plus_circle_plus_square.png paste_result_background_plus_overlay_transparent_border_opaque_square.png paste_result_background_plus_overlay_transparent_border_semitransparent_square.png paste_result_no_background_square_over_circle.png wx.png wx.ico toucan.png toucan_hue_0.538.png toucan_sat_-0.41.png toucan_bright_-0.259.png toucan_hsv_0.538_-0.41_-0.259.png toucan_light_46.png toucan_dis_240.png toucan_grey.png toucan_mono_255_255_255.png) do if not exist image\%%f copy .\image\%%f image
|
||||
for %%f in (8bpp-colorsused-large.bmp 8bpp-colorsused-negative.bmp horse_grey.bmp horse_grey_flipped.bmp horse_rle4.bmp horse_rle4_flipped.bmp horse_rle8.bmp horse_rle8_flipped.bmp horse_bicubic_50x50.png horse_bicubic_100x100.png horse_bicubic_150x150.png horse_bicubic_300x300.png horse_bilinear_50x50.png horse_bilinear_100x100.png horse_bilinear_150x150.png horse_bilinear_300x300.png horse_box_average_50x50.png horse_box_average_100x100.png horse_box_average_150x150.png horse_box_average_300x300.png cross_bicubic_256x256.png cross_bilinear_256x256.png cross_box_average_256x256.png cross_nearest_neighb_256x256.png paste_input_background.png paste_input_black.png paste_input_overlay_transparent_border_opaque_square.png paste_input_overlay_transparent_border_semitransparent_circle.png paste_input_overlay_transparent_border_semitransparent_square.png paste_result_background_plus_circle_plus_square.png paste_result_background_plus_overlay_transparent_border_opaque_square.png paste_result_background_plus_overlay_transparent_border_semitransparent_square.png paste_result_no_background_square_over_circle.png wx.png wx.ico toucan.png toucan_hue_0.538.png toucan_sat_-0.41.png toucan_bright_-0.259.png toucan_hsv_0.538_-0.41_-0.259.png toucan_light_46.png toucan_dis_240.png toucan_grey.png toucan_mono_255_255_255.png) do if not exist image\%%f copy .\image\%%f image
|
||||
|
||||
fr:
|
||||
if not exist $(OBJS)\intl\fr mkdir $(OBJS)\intl\fr
|
||||
|
||||
@ -989,7 +989,7 @@ data:
|
||||
|
||||
data-images:
|
||||
if not exist image mkdir image
|
||||
for %f in (horse_grey.bmp horse_grey_flipped.bmp horse_rle4.bmp horse_rle4_flipped.bmp horse_rle8.bmp horse_rle8_flipped.bmp horse_bicubic_50x50.png horse_bicubic_100x100.png horse_bicubic_150x150.png horse_bicubic_300x300.png horse_bilinear_50x50.png horse_bilinear_100x100.png horse_bilinear_150x150.png horse_bilinear_300x300.png horse_box_average_50x50.png horse_box_average_100x100.png horse_box_average_150x150.png horse_box_average_300x300.png cross_bicubic_256x256.png cross_bilinear_256x256.png cross_box_average_256x256.png cross_nearest_neighb_256x256.png paste_input_background.png paste_input_black.png paste_input_overlay_transparent_border_opaque_square.png paste_input_overlay_transparent_border_semitransparent_circle.png paste_input_overlay_transparent_border_semitransparent_square.png paste_result_background_plus_circle_plus_square.png paste_result_background_plus_overlay_transparent_border_opaque_square.png paste_result_background_plus_overlay_transparent_border_semitransparent_square.png paste_result_no_background_square_over_circle.png wx.png wx.ico toucan.png toucan_hue_0.538.png toucan_sat_-0.41.png toucan_bright_-0.259.png toucan_hsv_0.538_-0.41_-0.259.png toucan_light_46.png toucan_dis_240.png toucan_grey.png toucan_mono_255_255_255.png) do if not exist image\%f copy .\image\%f image
|
||||
for %f in (8bpp-colorsused-large.bmp 8bpp-colorsused-negative.bmp horse_grey.bmp horse_grey_flipped.bmp horse_rle4.bmp horse_rle4_flipped.bmp horse_rle8.bmp horse_rle8_flipped.bmp horse_bicubic_50x50.png horse_bicubic_100x100.png horse_bicubic_150x150.png horse_bicubic_300x300.png horse_bilinear_50x50.png horse_bilinear_100x100.png horse_bilinear_150x150.png horse_bilinear_300x300.png horse_box_average_50x50.png horse_box_average_100x100.png horse_box_average_150x150.png horse_box_average_300x300.png cross_bicubic_256x256.png cross_bilinear_256x256.png cross_box_average_256x256.png cross_nearest_neighb_256x256.png paste_input_background.png paste_input_black.png paste_input_overlay_transparent_border_opaque_square.png paste_input_overlay_transparent_border_semitransparent_circle.png paste_input_overlay_transparent_border_semitransparent_square.png paste_result_background_plus_circle_plus_square.png paste_result_background_plus_overlay_transparent_border_opaque_square.png paste_result_background_plus_overlay_transparent_border_semitransparent_square.png paste_result_no_background_square_over_circle.png wx.png wx.ico toucan.png toucan_hue_0.538.png toucan_sat_-0.41.png toucan_bright_-0.259.png toucan_hsv_0.538_-0.41_-0.259.png toucan_light_46.png toucan_dis_240.png toucan_grey.png toucan_mono_255_255_255.png) do if not exist image\%f copy .\image\%f image
|
||||
|
||||
fr:
|
||||
if not exist $(OBJS)\intl\fr mkdir $(OBJS)\intl\fr
|
||||
|
||||
@ -349,6 +349,9 @@
|
||||
<srcdir>$(SRCDIR)/image</srcdir>
|
||||
<dstdir>image</dstdir>
|
||||
<files>
|
||||
8bpp-colorsused-large.bmp
|
||||
8bpp-colorsused-negative.bmp
|
||||
|
||||
horse_grey.bmp horse_grey_flipped.bmp
|
||||
horse_rle4.bmp horse_rle4_flipped.bmp
|
||||
horse_rle8.bmp horse_rle8_flipped.bmp
|
||||
|
||||
Loading…
Reference in New Issue
Block a user