-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheckbmi.h
120 lines (99 loc) · 3.57 KB
/
checkbmi.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// Copyright (c) 1992 - 1997 Microsoft Corporation. All Rights Reserved.
#ifndef _CHECKBMI_H_
#define _CHECKBMI_H_
#ifdef __cplusplus
extern "C" {
#endif
// Helper
__inline BOOL MultiplyCheckOverflow(DWORD a, DWORD b, __deref_out_range(==, a * b) DWORD *pab) {
*pab = a * b;
if ((a == 0) || (((*pab) / a) == b)) {
return TRUE;
}
return FALSE;
}
// Checks if the fields in a BITMAPINFOHEADER won't generate
// overlows and buffer overruns
// This is not a complete check and does not guarantee code using this structure will be secure
// from attack
// Bugs this is guarding against:
// 1. Total structure size calculation overflowing
// 2. biClrUsed > 256 for 8-bit palettized content
// 3. Total bitmap size in bytes overflowing
// 4. biSize < size of the base structure leading to accessessing random memory
// 5. Total structure size exceeding know size of data
//
__success(return != 0) __inline BOOL ValidateBitmapInfoHeader(
const BITMAPINFOHEADER *pbmi, // pointer to structure to check
__out_range(>=, sizeof(BITMAPINFOHEADER)) DWORD cbSize // size of memory block containing structure
)
{
DWORD dwWidthInBytes;
DWORD dwBpp;
DWORD dwWidthInBits;
DWORD dwHeight;
DWORD dwSizeImage;
DWORD dwClrUsed;
// Reject bad parameters - do the size check first to avoid reading bad memory
if (cbSize < sizeof(BITMAPINFOHEADER) ||
pbmi->biSize < sizeof(BITMAPINFOHEADER) ||
pbmi->biSize > 4096) {
return FALSE;
}
// Reject 0 size
if (pbmi->biWidth == 0 || pbmi->biHeight == 0) {
return FALSE;
}
// Use bpp of 200 for validating against further overflows if not set for compressed format
dwBpp = 200;
if (pbmi->biBitCount > dwBpp) {
return FALSE;
}
// Strictly speaking abs can overflow so cast explicitly to DWORD
dwHeight = (DWORD)abs(pbmi->biHeight);
if (!MultiplyCheckOverflow(dwBpp, (DWORD)pbmi->biWidth, &dwWidthInBits)) {
return FALSE;
}
// Compute correct width in bytes - rounding up to 4 bytes
dwWidthInBytes = (dwWidthInBits / 8 + 3) & ~3;
if (!MultiplyCheckOverflow(dwWidthInBytes, dwHeight, &dwSizeImage)) {
return FALSE;
}
// Fail if total size is 0 - this catches indivual quantities being 0
// Also don't allow huge values > 1GB which might cause arithmetic
// errors for users
if (dwSizeImage > 0x40000000 ||
pbmi->biSizeImage > 0x40000000) {
return FALSE;
}
// Fail if biClrUsed looks bad
if (pbmi->biClrUsed > 256) {
return FALSE;
}
if (pbmi->biClrUsed == 0 && pbmi->biBitCount <= 8 && pbmi->biBitCount > 0) {
dwClrUsed = (1 << pbmi->biBitCount);
} else {
dwClrUsed = pbmi->biClrUsed;
}
// Check total size
if (cbSize < pbmi->biSize + dwClrUsed * sizeof(RGBQUAD) +
(pbmi->biCompression == BI_BITFIELDS ? 3 * sizeof(DWORD) : 0)) {
return FALSE;
}
// If it is RGB validate biSizeImage - lots of code assumes the size is correct
if (pbmi->biCompression == BI_RGB || pbmi->biCompression == BI_BITFIELDS) {
if (pbmi->biSizeImage != 0) {
DWORD dwBits = (DWORD)pbmi->biWidth * (DWORD)pbmi->biBitCount;
DWORD dwWidthInBytes = ((DWORD)((dwBits+31) & (~31)) / 8);
DWORD dwTotalSize = (DWORD)abs(pbmi->biHeight) * dwWidthInBytes;
if (dwTotalSize > pbmi->biSizeImage) {
return FALSE;
}
}
}
return TRUE;
}
#ifdef __cplusplus
}
#endif
#endif // _CHECKBMI_H_