// Copyright (c) 1992 - 1997 Microsoft Corporation. All Rights Reserved. | |
#ifndef _CHECKBMI_H_ | |
#define _CHECKBMI_H_ | |
#ifdef __cplusplus | |
extern "C" { | |
#endif | |
// Helper | |
__inline BOOL MultiplyCheckOverflow(DWORD a, DWORD b, __deref_out_range(==, a * b) DWORD *pab) { | |
*pab = a * b; | |
if ((a == 0) || (((*pab) / a) == b)) { | |
return TRUE; | |
} | |
return FALSE; | |
} | |
// Checks if the fields in a BITMAPINFOHEADER won't generate | |
// overlows and buffer overruns | |
// This is not a complete check and does not guarantee code using this structure will be secure | |
// from attack | |
// Bugs this is guarding against: | |
// 1. Total structure size calculation overflowing | |
// 2. biClrUsed > 256 for 8-bit palettized content | |
// 3. Total bitmap size in bytes overflowing | |
// 4. biSize < size of the base structure leading to accessessing random memory | |
// 5. Total structure size exceeding know size of data | |
// | |
__success(return != 0) __inline BOOL ValidateBitmapInfoHeader( | |
const BITMAPINFOHEADER *pbmi, // pointer to structure to check | |
__out_range(>=, sizeof(BITMAPINFOHEADER)) DWORD cbSize // size of memory block containing structure | |
) | |
{ | |
DWORD dwWidthInBytes; | |
DWORD dwBpp; | |
DWORD dwWidthInBits; | |
DWORD dwHeight; | |
DWORD dwSizeImage; | |
DWORD dwClrUsed; | |
// Reject bad parameters - do the size check first to avoid reading bad memory | |
if (cbSize < sizeof(BITMAPINFOHEADER) || | |
pbmi->biSize < sizeof(BITMAPINFOHEADER) || | |
pbmi->biSize > 4096) { | |
return FALSE; | |
} | |
// Reject 0 size | |
if (pbmi->biWidth == 0 || pbmi->biHeight == 0) { | |
return FALSE; | |
} | |
// Use bpp of 200 for validating against further overflows if not set for compressed format | |
dwBpp = 200; | |
if (pbmi->biBitCount > dwBpp) { | |
return FALSE; | |
} | |
// Strictly speaking abs can overflow so cast explicitly to DWORD | |
dwHeight = (DWORD)abs(pbmi->biHeight); | |
if (!MultiplyCheckOverflow(dwBpp, (DWORD)pbmi->biWidth, &dwWidthInBits)) { | |
return FALSE; | |
} | |
// Compute correct width in bytes - rounding up to 4 bytes | |
dwWidthInBytes = (dwWidthInBits / 8 + 3) & ~3; | |
if (!MultiplyCheckOverflow(dwWidthInBytes, dwHeight, &dwSizeImage)) { | |
return FALSE; | |
} | |
// Fail if total size is 0 - this catches indivual quantities being 0 | |
// Also don't allow huge values > 1GB which might cause arithmetic | |
// errors for users | |
if (dwSizeImage > 0x40000000 || | |
pbmi->biSizeImage > 0x40000000) { | |
return FALSE; | |
} | |
// Fail if biClrUsed looks bad | |
if (pbmi->biClrUsed > 256) { | |
return FALSE; | |
} | |
if (pbmi->biClrUsed == 0 && pbmi->biBitCount <= 8 && pbmi->biBitCount > 0) { | |
dwClrUsed = (1 << pbmi->biBitCount); | |
} else { | |
dwClrUsed = pbmi->biClrUsed; | |
} | |
// Check total size | |
if (cbSize < pbmi->biSize + dwClrUsed * sizeof(RGBQUAD) + | |
(pbmi->biCompression == BI_BITFIELDS ? 3 * sizeof(DWORD) : 0)) { | |
return FALSE; | |
} | |
// If it is RGB validate biSizeImage - lots of code assumes the size is correct | |
if (pbmi->biCompression == BI_RGB || pbmi->biCompression == BI_BITFIELDS) { | |
if (pbmi->biSizeImage != 0) { | |
DWORD dwBits = (DWORD)pbmi->biWidth * (DWORD)pbmi->biBitCount; | |
DWORD dwWidthInBytes = ((DWORD)((dwBits+31) & (~31)) / 8); | |
DWORD dwTotalSize = (DWORD)abs(pbmi->biHeight) * dwWidthInBytes; | |
if (dwTotalSize > pbmi->biSizeImage) { | |
return FALSE; | |
} | |
} | |
} | |
return TRUE; | |
} | |
#ifdef __cplusplus | |
} | |
#endif | |
#endif // _CHECKBMI_H_ |