Fix loading bitmaps with malformed biClrUsed field

Stop throwing std::bad_alloc when BMP has large/negative biClrUsed by checking that biClrUsed has a reasonable value before attempting to allocate however much memory it indicates. Add unit tests showing the loading such invalid bitmaps now correctly returns an error rather than throwing an exception. Closes https://github.com/wxWidgets/wxWidgets/pull/2583 Closes #19295.
2021-11-05 19:30:24 -07:00
parent 58d2243f7b
commit 20208cc81f
8 changed files with 44 additions and 4 deletions
--- a/src/common/imagbmp.cpp
+++ b/src/common/imagbmp.cpp
@@ -518,8 +518,24 @@ bool wxBMPHandler::DoLoadDib(wxImage * image, int width, int height,
    // allocate space for palette if needed:
    BMPPalette *cmap;

-    if ( bpp < 16 )
+    if ( bpp <= 8 )
    {
+        // The bit depth is 8bpp, 4bpp, or 1bpp, which means that ncolors is
+        // the size of a palette.  The largest useful palette is 256 since
+        // anything larger couldn't be referenced by a pixel.  Since ncolors
+        // comes from the file, which could be corrupt or malicious, reject
+        // any bitmaps that have a dubious palette size.
+        if ( ncolors < 0 || 256 < ncolors )
+        {
+            if ( verbose )
+            {
+                wxLogError(
+                    _("BMP: header has biClrUsed=%d when biBitCount=%d."),
+                    ncolors, bpp);
+            }
+            return false;
+        }
+
        cmap = new BMPPalette[ncolors];
        if ( !cmap )
        {