diff options
author | Ben Wiederhake <BenWiederhake.GitHub@gmx.de> | 2021-01-30 01:24:41 +0100 |
---|---|---|
committer | Andreas Kling <kling@serenityos.org> | 2021-01-30 09:23:18 +0100 |
commit | 4332dfb9640f28ef7daafe340b061d2586d2fc28 (patch) | |
tree | d97d1f41eab9dbc2f01274046138a00d616ec5d7 /Userland/Libraries/LibGfx/BMPLoader.cpp | |
parent | 648f15395117a6a531415008e38e64e8ca90c837 (diff) | |
download | serenity-4332dfb9640f28ef7daafe340b061d2586d2fc28.zip |
LibGfx: Fix dynamic bitmasks in BMPs
I overlooked a corner case where we might call the built-in ctz() on zero.
Furthermore, the calculation of the shift was wrong and the results were often
unusable.
Both issue were caused by a forgotten 36daeee34ff04f64c933e94a9cdffe9080061fb0.
This time I made sure to look at bmpsuite_files first, and now they look good.
Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28985
Diffstat (limited to 'Userland/Libraries/LibGfx/BMPLoader.cpp')
-rw-r--r-- | Userland/Libraries/LibGfx/BMPLoader.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/Userland/Libraries/LibGfx/BMPLoader.cpp b/Userland/Libraries/LibGfx/BMPLoader.cpp index 7954142800..4ab139eff2 100644 --- a/Userland/Libraries/LibGfx/BMPLoader.cpp +++ b/Userland/Libraries/LibGfx/BMPLoader.cpp @@ -368,8 +368,14 @@ static void populate_dib_mask_info_if_needed(BMPLoadingContext& context) continue; } int trailing_zeros = count_trailing_zeroes_32(mask); - int size = count_trailing_zeroes_32(~(mask >> trailing_zeros)); - mask_shifts.append(trailing_zeros - 8); + // If mask is exactly `0xFFFFFFFF`, then we might try to count the trailing zeros of 0x00000000 here, so we need the safe version: + int size = count_trailing_zeroes_32_safe(~(mask >> trailing_zeros)); + if (size > 8) { + // Drop lowest bits if mask is longer than 8 bits. + trailing_zeros += size - 8; + size = 8; + } + mask_shifts.append(size + trailing_zeros - 8); mask_sizes.append(size); } } |