From 9aa1be5a0dc032736ebf68742339cae00ad55e8c Mon Sep 17 00:00:00 2001
From: Claudio Saavedra <csaavedra@alumnos.utalca.cl>
Date: Tue, 11 Mar 2008 21:05:26 +0000
Subject: [PATCH] Check for the BMP header magic numbers before decoding it.
 (#505085)

2008-03-11  Claudio Saavedra  <csaavedra@alumnos.utalca.cl>

        * io-bmp.c: (DecodeHeader): Check for the BMP header magic numbers
        before decoding it.  (#505085)


svn path=/trunk/; revision=19756
---
 gdk-pixbuf/ChangeLog |  5 +++++
 gdk-pixbuf/io-bmp.c  | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 3c28e212aa..3c507d472c 100644
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+2008-03-11  Claudio Saavedra  <csaavedra@alumnos.utalca.cl>
+
+        * io-bmp.c: (DecodeHeader): Check for the BMP header magic numbers
+        before decoding it.  (#505085)
+
 2008-02-16  Matthias Clasen  <mclasen@redhat.com>
 
 	* === Released 2.13.0 ===
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index d0347c963a..099a16d96a 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -258,6 +258,17 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
 {
 	gint clrUsed;
 
+	/* First check for the two first bytes content. A sane
+	   BMP file must start with bytes 0x42 0x4D.  */
+	if (*BFH != 0x42 || *(BFH + 1) != 0x4D) {
+		g_set_error (error,
+			     GDK_PIXBUF_ERROR,
+			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+			     _("BMP image has bogus header data"));
+		State->read_state = READ_STATE_ERROR;
+		return FALSE;
+	}
+
         /* FIXME this is totally unrobust against bogus image data. */
 	if (State->BufferSize < lsb_32 (&BIH[0]) + 14) {
 		State->BufferSize = lsb_32 (&BIH[0]) + 14;