123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 |
- // Copyright (c) 1992 - 1997 Microsoft Corporation. All Rights Reserved.
- #ifndef _CHECKBMI_H_
- #define _CHECKBMI_H_
- #ifdef __cplusplus
- extern "C" {
- #endif
- // Helper
- __inline BOOL MultiplyCheckOverflow(DWORD a, DWORD b, __deref_out_range(==, a * b) DWORD *pab) {
- *pab = a * b;
- if ((a == 0) || (((*pab) / a) == b)) {
- return TRUE;
- }
- return FALSE;
- }
- // Checks if the fields in a BITMAPINFOHEADER won't generate
- // overlows and buffer overruns
- // This is not a complete check and does not guarantee code using this structure will be secure
- // from attack
- // Bugs this is guarding against:
- // 1. Total structure size calculation overflowing
- // 2. biClrUsed > 256 for 8-bit palettized content
- // 3. Total bitmap size in bytes overflowing
- // 4. biSize < size of the base structure leading to accessessing random memory
- // 5. Total structure size exceeding know size of data
- //
- __success(return != 0) __inline BOOL ValidateBitmapInfoHeader(
- const BITMAPINFOHEADER *pbmi, // pointer to structure to check
- __out_range(>=, sizeof(BITMAPINFOHEADER)) DWORD cbSize // size of memory block containing structure
- )
- {
- DWORD dwWidthInBytes;
- DWORD dwBpp;
- DWORD dwWidthInBits;
- DWORD dwHeight;
- DWORD dwSizeImage;
- DWORD dwClrUsed;
- // Reject bad parameters - do the size check first to avoid reading bad memory
- if (cbSize < sizeof(BITMAPINFOHEADER) ||
- pbmi->biSize < sizeof(BITMAPINFOHEADER) ||
- pbmi->biSize > 4096) {
- return FALSE;
- }
- // Reject 0 size
- if (pbmi->biWidth == 0 || pbmi->biHeight == 0) {
- return FALSE;
- }
- // Use bpp of 200 for validating against further overflows if not set for compressed format
- dwBpp = 200;
- if (pbmi->biBitCount > dwBpp) {
- return FALSE;
- }
- // Strictly speaking abs can overflow so cast explicitly to DWORD
- dwHeight = (DWORD)abs(pbmi->biHeight);
- if (!MultiplyCheckOverflow(dwBpp, (DWORD)pbmi->biWidth, &dwWidthInBits)) {
- return FALSE;
- }
- // Compute correct width in bytes - rounding up to 4 bytes
- dwWidthInBytes = (dwWidthInBits / 8 + 3) & ~3;
- if (!MultiplyCheckOverflow(dwWidthInBytes, dwHeight, &dwSizeImage)) {
- return FALSE;
- }
- // Fail if total size is 0 - this catches indivual quantities being 0
- // Also don't allow huge values > 1GB which might cause arithmetic
- // errors for users
- if (dwSizeImage > 0x40000000 ||
- pbmi->biSizeImage > 0x40000000) {
- return FALSE;
- }
- // Fail if biClrUsed looks bad
- if (pbmi->biClrUsed > 256) {
- return FALSE;
- }
- if (pbmi->biClrUsed == 0 && pbmi->biBitCount <= 8 && pbmi->biBitCount > 0) {
- dwClrUsed = (1 << pbmi->biBitCount);
- } else {
- dwClrUsed = pbmi->biClrUsed;
- }
- // Check total size
- if (cbSize < pbmi->biSize + dwClrUsed * sizeof(RGBQUAD) +
- (pbmi->biCompression == BI_BITFIELDS ? 3 * sizeof(DWORD) : 0)) {
- return FALSE;
- }
- // If it is RGB validate biSizeImage - lots of code assumes the size is correct
- if (pbmi->biCompression == BI_RGB || pbmi->biCompression == BI_BITFIELDS) {
- if (pbmi->biSizeImage != 0) {
- DWORD dwBits = (DWORD)pbmi->biWidth * (DWORD)pbmi->biBitCount;
- DWORD dwWidthInBytes = ((DWORD)((dwBits+31) & (~31)) / 8);
- DWORD dwTotalSize = (DWORD)abs(pbmi->biHeight) * dwWidthInBytes;
- if (dwTotalSize > pbmi->biSizeImage) {
- return FALSE;
- }
- }
- }
- return TRUE;
- }
- #ifdef __cplusplus
- }
- #endif
- #endif // _CHECKBMI_H_
|