Skip to content

Commit

Permalink
crates/bmp/decoder: Check that buf length read isn't out of bounds
Browse files Browse the repository at this point in the history
  • Loading branch information
@etemesi254
etemesi254 committed Nov 4, 2023
1 parent f4031c7 commit c3a3c5d
Showing 1 changed file with 34 additions and 31 deletions.
65 changes: 34 additions & 31 deletions crates/zune-bmp/src/decoder.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,37 +139,37 @@ pub fn probe_bmp(bytes: &[u8]) -> bool {
/// For some configurations, alpha is disabled,
#[derive(Clone, Copy, Default, Debug)]
struct PaletteEntry {
red: u8,
red: u8,
green: u8,
blue: u8,
alpha: u8
blue: u8,
alpha: u8,
}

/// A BMP decoder.
pub struct BmpDecoder<T>
where
T: ZReaderTrait
where
T: ZReaderTrait
{
bytes: ZByteReader<T>,
options: DecoderOptions,
width: usize,
height: usize,
bytes: ZByteReader<T>,
options: DecoderOptions,
width: usize,
height: usize,
flip_vertically: bool,
rgb_bitfields: [u32; 4],
rgb_bitfields: [u32; 4],
decoded_headers: bool,
pix_fmt: BmpPixelFormat,
comp: BmpCompression,
ihszie: u32,
hsize: u32,
palette: Vec<PaletteEntry>,
depth: u16,
is_alpha: bool,
palette_numbers: usize
pix_fmt: BmpPixelFormat,
comp: BmpCompression,
ihszie: u32,
hsize: u32,
palette: Vec<PaletteEntry>,
depth: u16,
is_alpha: bool,
palette_numbers: usize,
}

impl<T> BmpDecoder<T>
where
T: ZReaderTrait
where
T: ZReaderTrait
{
/// Create a new bmp decoder that reads data from
/// `data
Expand Down Expand Up @@ -207,7 +207,7 @@ where
depth: 0,
palette: vec![],
is_alpha: false,
palette_numbers: 0
palette_numbers: 0,
}
}

Expand All @@ -234,7 +234,7 @@ where
if self.bytes.len() < file_size {
return Err(BmpDecoderErrors::TooSmallBuffer(
file_size,
self.bytes.len()
self.bytes.len(),
));
}
// skip 4 reserved bytes
Expand Down Expand Up @@ -266,7 +266,7 @@ where
_ => {
return Err(BmpDecoderErrors::GenericStatic(
"Unknown information header size"
))
));
}
}

Expand All @@ -279,15 +279,15 @@ where
return Err(BmpDecoderErrors::TooLargeDimensions(
"height",
self.options.get_max_height(),
self.height
self.height,
));
}

if self.width > self.options.get_max_width() {
return Err(BmpDecoderErrors::TooLargeDimensions(
"width",
self.options.get_max_width(),
self.width
self.width,
));
}
if self.width == 0 {
Expand Down Expand Up @@ -323,7 +323,7 @@ where
None => {
return Err(BmpDecoderErrors::GenericStatic(
"Unsupported BMP compression scheme"
))
));
}
}
} else {
Expand Down Expand Up @@ -516,7 +516,7 @@ where
let mut output = vec![
0_u8;
self.output_buf_size()
.ok_or(BmpDecoderErrors::OverFlowOccurred)?
.ok_or(BmpDecoderErrors::OverFlowOccurred)?,
];

self.decode_into(&mut output)?;
Expand Down Expand Up @@ -626,7 +626,7 @@ where
.zip(bytes.chunks_exact(pad_size))
{
for (a, b) in
out.chunks_exact_mut(4).zip(input.chunks_exact(4))
out.chunks_exact_mut(4).zip(input.chunks_exact(4))
{
let v = u32::from_le_bytes(b.try_into().unwrap());

Expand Down Expand Up @@ -737,7 +737,7 @@ where
self.depth as usize,
true,
in_bytes,
&mut scanline_bytes
&mut scanline_bytes,
);

self.expand_palette(&scanline_bytes, out_bytes, true);
Expand Down Expand Up @@ -984,6 +984,9 @@ where
Err(BmpDecoderErrors::Generic(msg))
};
}
if pos >= buf.len() {
return Err(BmpDecoderErrors::GenericStatic("Invalid image, out of bounds read in pos"));
}
// move to the next line
buf = &mut buf[pos..];
pos = 0;
Expand Down Expand Up @@ -1054,7 +1057,7 @@ where

if pos > buf.len()
|| buf.len().saturating_sub(pos)
<= (usize::from(p1) * usize::from(self.depth) + 31) / 8
<= (usize::from(p1) * usize::from(self.depth) + 31) / 8
{
let expected = (usize::from(p1) * usize::from(self.depth)) / 8;
let remaining = buf.len().saturating_sub(expected);
Expand Down Expand Up @@ -1114,7 +1117,7 @@ where

fn shift_signed(mut v: u32, shift: i32, mut bits: u32) -> u32 {
const MUL_TABLE: [u32; 9] = [
0, /*Hello world*/
0, /*Hello world*/
0xff, /*0b11111111*/
0x55, /*0b01010101*/
0x49, /*0b01001001*/
Expand Down

0 comments on commit c3a3c5d

Please sign in to comment.