archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/multimedia/dshow/h/checkbmi.h

100 lines
2.7 KiB
Raw Normal View History

Add source files
4 years ago
  1. // Copyright (c) 1992 - 1997 Microsoft Corporation. All Rights Reserved.
  3. #ifndef _CHECKBMI_H_
  4. #define _CHECKBMI_H_
  6. #ifdef __cplusplus
  7. extern "C" {
  8. #endif
  10. // Helper
  11. inline BOOL MultiplyCheckOverflow(DWORD a, DWORD b, DWORD *pab) {
  12. *pab = a * b;
  13. if ((a == 0) || (((*pab) / a) == b)) {
  14. return TRUE;
  15. }
  16. return FALSE;
  17. }
  20. // Checks if the fields in a BITMAPINFOHEADER won't generate
  21. // overlows and buffer overruns
  22. // This is not a complete check and does not guarantee code using this structure will be secure
  23. // from attack
  24. // Bugs this is guarding against:
  25. // 1. Total structure size calculation overflowing
  26. // 2. biClrUsed > 256 for 8-bit palettized content
  27. // 3. Total bitmap size in bytes overflowing
  28. // 4. biSize < size of the base structure leading to accessessing random memory
  29. // 5. Total structure size exceeding know size of data
  30. //
  32. inline BOOL ValidateBitmapInfoHeader(
  33. const BITMAPINFOHEADER *pbmi, // pointer to structure to check
  34. DWORD cbSize // size of memory block containing structure
  35. )
  36. {
  37. DWORD dwWidthInBytes;
  38. DWORD dwBpp;
  39. DWORD dwWidthInBits;
  40. DWORD dwHeight;
  41. DWORD dwSizeImage;
  42. DWORD dwClrUsed;
  44. // Reject bad parameters - do the size check first to avoid reading bad memory
  45. if (cbSize < sizeof(BITMAPINFOHEADER) ||
  46. pbmi->biSize < sizeof(BITMAPINFOHEADER) ||
  47. pbmi->biSize > 4096) {
  48. return FALSE;
  49. }
  51. // Use bpp of 32 for validating against further overflows if not set for compressed format
  52. dwBpp = 32;
  54. // Strictly speaking abs can overflow so cast explicitly to DWORD
  55. dwHeight = (DWORD)abs(pbmi->biHeight);
  57. if (!MultiplyCheckOverflow(dwBpp, (DWORD)pbmi->biWidth, &dwWidthInBits)) {
  58. return FALSE;
  59. }
  61. // Compute correct width in bytes - rounding up to 4 bytes
  62. dwWidthInBytes = (dwWidthInBits / 8 + 3) & ~3;
  64. if (!MultiplyCheckOverflow(dwWidthInBytes, dwHeight, &dwSizeImage)) {
  65. return FALSE;
  66. }
  68. // Fail if total size is 0 - this catches indivual quantities being 0
  69. // Also don't allow huge values > 1GB which might cause arithmetic
  70. // errors for users
  71. if (dwSizeImage > 0x40000000 ||
  72. pbmi->biSizeImage > 0x40000000) {
  73. return FALSE;
  74. }
  76. // Fail if biClrUsed looks bad
  77. if (pbmi->biClrUsed > 256) {
  78. return FALSE;
  79. }
  81. if (pbmi->biClrUsed == 0 && dwBpp <= 8) {
  82. dwClrUsed = (1 << dwBpp);
  83. } else {
  84. dwClrUsed = pbmi->biClrUsed;
  85. }
  87. // Check total size
  88. if (cbSize < pbmi->biSize + dwClrUsed * sizeof(RGBQUAD) +
  89. (pbmi->biCompression == BI_BITFIELDS ? 3 * sizeof(DWORD) : 0)) {
  90. return FALSE;
  91. }
  93. return TRUE;
  94. }
  96. #ifdef __cplusplus
  97. }
  98. #endif
  100. #endif // _CHECKBMI_H_