Avoid out-of-bounds palette read in 8bpp BMP decoder (PR #26439)
MarkLee131
Fix #26438:
The non-RLE 8bpp branch at imagbmp.cpp:903, plus the RLE absolute and RLE encoded branches a few lines above, all index cmap[aByte] without checking aByte against the palette colour count. A BMP that pairs a small palette with a colour-index byte >= ncolors reads past the palette and the value flows into the decoded pixel.
Reject the file (return false) at each site, matching the surrounding "return false on malformed input" pattern.
You can view, comment on, or merge this pull request online at:
https://github.com/wxWidgets/wxWidgets/pull/26439
Commit Summary
- 2b43d38 Avoid out-of-bounds palette read in 8bpp BMP decoder
File Changes
(2 files)
- M src/common/imagbmp.cpp (6)
- M tests/image/image.cpp (20)
Patch Links:
- https://github.com/wxWidgets/wxWidgets/pull/26439.patch
- https://github.com/wxWidgets/wxWidgets/pull/26439.diff
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
VZ
@vadz approved this pull request.
Thanks again for the PR and the detailed explanations, I'll merge this one soon!
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
VZ
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.