mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2024-12-27 02:30:35 +00:00
42bdeaf52c
Original repo is here: https://github.com/microsoft/Windows-classic-samples Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/1577>
120 lines
3.7 KiB
C
120 lines
3.7 KiB
C
// Copyright (c) 1992 - 1997 Microsoft Corporation. All Rights Reserved.
|
|
|
|
#ifndef _CHECKBMI_H_
|
|
#define _CHECKBMI_H_
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
// Helper
|
|
__inline BOOL MultiplyCheckOverflow(DWORD a, DWORD b, __deref_out_range(==, a * b) DWORD *pab) {
|
|
*pab = a * b;
|
|
if ((a == 0) || (((*pab) / a) == b)) {
|
|
return TRUE;
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
// Checks if the fields in a BITMAPINFOHEADER won't generate
|
|
// overlows and buffer overruns
|
|
// This is not a complete check and does not guarantee code using this structure will be secure
|
|
// from attack
|
|
// Bugs this is guarding against:
|
|
// 1. Total structure size calculation overflowing
|
|
// 2. biClrUsed > 256 for 8-bit palettized content
|
|
// 3. Total bitmap size in bytes overflowing
|
|
// 4. biSize < size of the base structure leading to accessessing random memory
|
|
// 5. Total structure size exceeding know size of data
|
|
//
|
|
|
|
__success(return != 0) __inline BOOL ValidateBitmapInfoHeader(
|
|
const BITMAPINFOHEADER *pbmi, // pointer to structure to check
|
|
__out_range(>=, sizeof(BITMAPINFOHEADER)) DWORD cbSize // size of memory block containing structure
|
|
)
|
|
{
|
|
DWORD dwWidthInBytes;
|
|
DWORD dwBpp;
|
|
DWORD dwWidthInBits;
|
|
DWORD dwHeight;
|
|
DWORD dwSizeImage;
|
|
DWORD dwClrUsed;
|
|
|
|
// Reject bad parameters - do the size check first to avoid reading bad memory
|
|
if (cbSize < sizeof(BITMAPINFOHEADER) ||
|
|
pbmi->biSize < sizeof(BITMAPINFOHEADER) ||
|
|
pbmi->biSize > 4096) {
|
|
return FALSE;
|
|
}
|
|
|
|
// Reject 0 size
|
|
if (pbmi->biWidth == 0 || pbmi->biHeight == 0) {
|
|
return FALSE;
|
|
}
|
|
|
|
// Use bpp of 200 for validating against further overflows if not set for compressed format
|
|
dwBpp = 200;
|
|
|
|
if (pbmi->biBitCount > dwBpp) {
|
|
return FALSE;
|
|
}
|
|
|
|
// Strictly speaking abs can overflow so cast explicitly to DWORD
|
|
dwHeight = (DWORD)abs(pbmi->biHeight);
|
|
|
|
if (!MultiplyCheckOverflow(dwBpp, (DWORD)pbmi->biWidth, &dwWidthInBits)) {
|
|
return FALSE;
|
|
}
|
|
|
|
// Compute correct width in bytes - rounding up to 4 bytes
|
|
dwWidthInBytes = (dwWidthInBits / 8 + 3) & ~3;
|
|
|
|
if (!MultiplyCheckOverflow(dwWidthInBytes, dwHeight, &dwSizeImage)) {
|
|
return FALSE;
|
|
}
|
|
|
|
// Fail if total size is 0 - this catches indivual quantities being 0
|
|
// Also don't allow huge values > 1GB which might cause arithmetic
|
|
// errors for users
|
|
if (dwSizeImage > 0x40000000 ||
|
|
pbmi->biSizeImage > 0x40000000) {
|
|
return FALSE;
|
|
}
|
|
|
|
// Fail if biClrUsed looks bad
|
|
if (pbmi->biClrUsed > 256) {
|
|
return FALSE;
|
|
}
|
|
|
|
if (pbmi->biClrUsed == 0 && pbmi->biBitCount <= 8 && pbmi->biBitCount > 0) {
|
|
dwClrUsed = (1 << pbmi->biBitCount);
|
|
} else {
|
|
dwClrUsed = pbmi->biClrUsed;
|
|
}
|
|
|
|
// Check total size
|
|
if (cbSize < pbmi->biSize + dwClrUsed * sizeof(RGBQUAD) +
|
|
(pbmi->biCompression == BI_BITFIELDS ? 3 * sizeof(DWORD) : 0)) {
|
|
return FALSE;
|
|
}
|
|
|
|
// If it is RGB validate biSizeImage - lots of code assumes the size is correct
|
|
if (pbmi->biCompression == BI_RGB || pbmi->biCompression == BI_BITFIELDS) {
|
|
if (pbmi->biSizeImage != 0) {
|
|
DWORD dwBits = (DWORD)pbmi->biWidth * (DWORD)pbmi->biBitCount;
|
|
DWORD dwWidthInBytes = ((DWORD)((dwBits+31) & (~31)) / 8);
|
|
DWORD dwTotalSize = (DWORD)abs(pbmi->biHeight) * dwWidthInBytes;
|
|
if (dwTotalSize > pbmi->biSizeImage) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
}
|
|
return TRUE;
|
|
}
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif // _CHECKBMI_H_
|