LibGfx: Reject ICOs with height == NumericLimits<i32>::min()

Bitmap files use negative height values to signify that the image should be rendered top down, but if the height value equals to the minimum value, negating it to get the actual height results in UB.
author: Idan Horowitz <idan.horowitz@gmail.com> 2021-05-29 17:47:12 +0300
committer: Ali Mohammad Pur <Ali.mpfard@gmail.com> 2021-05-29 21:46:16 +0430
commit: 7572a355fd4473b32545756e452bf01b0ecc6fd2 (patch)
tree: 2eb249efe279edbef7f5330ff8607d76a3b16ede /Userland/Libraries/LibGfx
parent: 4a2cb70e83068adb8ac657dec647dd3bd5514d56 (diff)
download: serenity-7572a355fd4473b32545756e452bf01b0ecc6fd2.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/Userland/Libraries/LibGfx/ICOLoader.cpp b/Userland/Libraries/LibGfx/ICOLoader.cpp
index 4812f791a0..84bc199ab6 100644
--- a/Userland/Libraries/LibGfx/ICOLoader.cpp
+++ b/Userland/Libraries/LibGfx/ICOLoader.cpp
@@ -210,6 +210,13 @@ static bool load_ico_bmp(ICOLoadingContext& context, ICOImageDescriptor& desc)
             printf("load_ico_bmp: width %d < 0\n", info.width);
         return false;
     }
+
+    if (info.height == NumericLimits<i32>::min()) {
+        if constexpr (ICO_DEBUG)
+            printf("load_ico_bmp: height == NumericLimits<i32>::min()\n");
+        return false;
+    }
+
     bool topdown = false;
     if (info.height < 0) {
         topdown = true;
author	Idan Horowitz <idan.horowitz@gmail.com>	2021-05-29 17:47:12 +0300
committer	Ali Mohammad Pur <Ali.mpfard@gmail.com>	2021-05-29 21:46:16 +0430
commit	7572a355fd4473b32545756e452bf01b0ecc6fd2 (patch)
tree	2eb249efe279edbef7f5330ff8607d76a3b16ede /Userland/Libraries/LibGfx
parent	4a2cb70e83068adb8ac657dec647dd3bd5514d56 (diff)
download	serenity-7572a355fd4473b32545756e452bf01b0ecc6fd2.zip