blob: 72879679c1f5794baef183674a479eae0dfc1690 [file] [log] [blame]
// Copyright (c) 1992 - 1997 Microsoft Corporation. All Rights Reserved.
#ifndef _CHECKBMI_H_
#define _CHECKBMI_H_
#ifdef __cplusplus
extern "C" {
#endif
// Helper
__inline BOOL MultiplyCheckOverflow(DWORD a, DWORD b, __deref_out_range(==, a * b) DWORD *pab) {
*pab = a * b;
if ((a == 0) || (((*pab) / a) == b)) {
return TRUE;
}
return FALSE;
}
// Checks if the fields in a BITMAPINFOHEADER won't generate
// overlows and buffer overruns
// This is not a complete check and does not guarantee code using this structure will be secure
// from attack
// Bugs this is guarding against:
// 1. Total structure size calculation overflowing
// 2. biClrUsed > 256 for 8-bit palettized content
// 3. Total bitmap size in bytes overflowing
// 4. biSize < size of the base structure leading to accessessing random memory
// 5. Total structure size exceeding know size of data
//
__success(return != 0) __inline BOOL ValidateBitmapInfoHeader(
const BITMAPINFOHEADER *pbmi, // pointer to structure to check
__out_range(>=, sizeof(BITMAPINFOHEADER)) DWORD cbSize // size of memory block containing structure
)
{
DWORD dwWidthInBytes;
DWORD dwBpp;
DWORD dwWidthInBits;
DWORD dwHeight;
DWORD dwSizeImage;
DWORD dwClrUsed;
// Reject bad parameters - do the size check first to avoid reading bad memory
if (cbSize < sizeof(BITMAPINFOHEADER) ||
pbmi->biSize < sizeof(BITMAPINFOHEADER) ||
pbmi->biSize > 4096) {
return FALSE;
}
// Reject 0 size
if (pbmi->biWidth == 0 || pbmi->biHeight == 0) {
return FALSE;
}
// Use bpp of 200 for validating against further overflows if not set for compressed format
dwBpp = 200;
if (pbmi->biBitCount > dwBpp) {
return FALSE;
}
// Strictly speaking abs can overflow so cast explicitly to DWORD
dwHeight = (DWORD)abs(pbmi->biHeight);
if (!MultiplyCheckOverflow(dwBpp, (DWORD)pbmi->biWidth, &dwWidthInBits)) {
return FALSE;
}
// Compute correct width in bytes - rounding up to 4 bytes
dwWidthInBytes = (dwWidthInBits / 8 + 3) & ~3;
if (!MultiplyCheckOverflow(dwWidthInBytes, dwHeight, &dwSizeImage)) {
return FALSE;
}
// Fail if total size is 0 - this catches indivual quantities being 0
// Also don't allow huge values > 1GB which might cause arithmetic
// errors for users
if (dwSizeImage > 0x40000000 ||
pbmi->biSizeImage > 0x40000000) {
return FALSE;
}
// Fail if biClrUsed looks bad
if (pbmi->biClrUsed > 256) {
return FALSE;
}
if (pbmi->biClrUsed == 0 && pbmi->biBitCount <= 8 && pbmi->biBitCount > 0) {
dwClrUsed = (1 << pbmi->biBitCount);
} else {
dwClrUsed = pbmi->biClrUsed;
}
// Check total size
if (cbSize < pbmi->biSize + dwClrUsed * sizeof(RGBQUAD) +
(pbmi->biCompression == BI_BITFIELDS ? 3 * sizeof(DWORD) : 0)) {
return FALSE;
}
// If it is RGB validate biSizeImage - lots of code assumes the size is correct
if (pbmi->biCompression == BI_RGB || pbmi->biCompression == BI_BITFIELDS) {
if (pbmi->biSizeImage != 0) {
DWORD dwBits = (DWORD)pbmi->biWidth * (DWORD)pbmi->biBitCount;
DWORD dwWidthInBytes = ((DWORD)((dwBits+31) & (~31)) / 8);
DWORD dwTotalSize = (DWORD)abs(pbmi->biHeight) * dwWidthInBytes;
if (dwTotalSize > pbmi->biSizeImage) {
return FALSE;
}
}
}
return TRUE;
}
#ifdef __cplusplus
}
#endif
#endif // _CHECKBMI_H_