diff options
| author | Ben Wiederhake <BenWiederhake.GitHub@gmx.de> | 2020-12-01 19:37:56 +0100 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2020-12-02 10:46:40 +0100 |
| commit | 9ff001c4d320079d8316d536a82d7e1d3532d9d1 (patch) | |
| tree | bcfdbe84a07ff7c263f9af6b0b5116c2dc5aa5c3 /Libraries/LibGfx | |
| parent | d6c0776b45bb9b26d96405d8d404431f861f51b9 (diff) | |
| download | serenity-9ff001c4d320079d8316d536a82d7e1d3532d9d1.zip | |
LibGfx: Avoid ByteBuffer assertions for huge bitmaps
Diffstat (limited to 'Libraries/LibGfx')
| -rw-r--r-- | Libraries/LibGfx/BMPLoader.cpp | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/Libraries/LibGfx/BMPLoader.cpp b/Libraries/LibGfx/BMPLoader.cpp index 80cca5610d..e322a5e291 100644 --- a/Libraries/LibGfx/BMPLoader.cpp +++ b/Libraries/LibGfx/BMPLoader.cpp @@ -942,11 +942,20 @@ static bool uncompress_bmp_rle_data(BMPLoadingContext& context, ByteBuffer& buff auto currently_consuming = RLEState::PixelCount; i16 pixel_count = 0; + // ByteBuffer asserts that allocating the memory never fails. + // FIXME: ByteBuffer should return either RefPtr<> or Optional<>. + // Decoding the RLE data on-the-fly might actually be faster, and avoids this topic entirely. + u32 buffer_size; if (compression == Compression::RLE24) { - buffer = ByteBuffer::create_zeroed(total_rows * round_up_to_power_of_two(total_columns, 4) * 4); + buffer_size = total_rows * round_up_to_power_of_two(total_columns, 4) * 4; } else { - buffer = ByteBuffer::create_zeroed(total_rows * round_up_to_power_of_two(total_columns, 4)); + buffer_size = total_rows * round_up_to_power_of_two(total_columns, 4); } + if (buffer_size > 300 * MiB) { + IF_BMP_DEBUG(dbg() << "Suspiciously large amount of RLE data"); + return false; + } + buffer = ByteBuffer::create_zeroed(buffer_size); // Avoid as many if statements as possible by pulling out // compression-dependent actions into separate lambdas |