summaryrefslogtreecommitdiff
path: root/Userland/Libraries/LibGfx/BMPLoader.cpp
diff options
context:
space:
mode:
authorBen Wiederhake <BenWiederhake.GitHub@gmx.de>2021-01-30 01:24:41 +0100
committerAndreas Kling <kling@serenityos.org>2021-01-30 09:23:18 +0100
commit4332dfb9640f28ef7daafe340b061d2586d2fc28 (patch)
treed97d1f41eab9dbc2f01274046138a00d616ec5d7 /Userland/Libraries/LibGfx/BMPLoader.cpp
parent648f15395117a6a531415008e38e64e8ca90c837 (diff)
downloadserenity-4332dfb9640f28ef7daafe340b061d2586d2fc28.zip
LibGfx: Fix dynamic bitmasks in BMPs
I overlooked a corner case where we might call the built-in ctz() on zero. Furthermore, the calculation of the shift was wrong and the results were often unusable. Both issue were caused by a forgotten 36daeee34ff04f64c933e94a9cdffe9080061fb0. This time I made sure to look at bmpsuite_files first, and now they look good. Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28985
Diffstat (limited to 'Userland/Libraries/LibGfx/BMPLoader.cpp')
-rw-r--r--Userland/Libraries/LibGfx/BMPLoader.cpp10
1 files changed, 8 insertions, 2 deletions
diff --git a/Userland/Libraries/LibGfx/BMPLoader.cpp b/Userland/Libraries/LibGfx/BMPLoader.cpp
index 7954142800..4ab139eff2 100644
--- a/Userland/Libraries/LibGfx/BMPLoader.cpp
+++ b/Userland/Libraries/LibGfx/BMPLoader.cpp
@@ -368,8 +368,14 @@ static void populate_dib_mask_info_if_needed(BMPLoadingContext& context)
continue;
}
int trailing_zeros = count_trailing_zeroes_32(mask);
- int size = count_trailing_zeroes_32(~(mask >> trailing_zeros));
- mask_shifts.append(trailing_zeros - 8);
+ // If mask is exactly `0xFFFFFFFF`, then we might try to count the trailing zeros of 0x00000000 here, so we need the safe version:
+ int size = count_trailing_zeroes_32_safe(~(mask >> trailing_zeros));
+ if (size > 8) {
+ // Drop lowest bits if mask is longer than 8 bits.
+ trailing_zeros += size - 8;
+ size = 8;
+ }
+ mask_shifts.append(size + trailing_zeros - 8);
mask_sizes.append(size);
}
}