From 7b6990763f759f2de1902f8d22a22eb8e66797f7 Mon Sep 17 00:00:00 2001
From: Herbert Dürr <hdu@apache.org>
Date: Wed, 18 Jul 2012 08:40:50 +0000
Subject: #i120306# better input checks in WinSalBitmap::ImplCreateDIB()

Patch-by: hdu, orw
---
 vcl/win/source/gdi/salbmp.cxx | 76 ++++++++++++++++++++++++-------------------
 1 file changed, 43 insertions(+), 33 deletions(-)

(limited to 'vcl/win')

diff --git a/vcl/win/source/gdi/salbmp.cxx b/vcl/win/source/gdi/salbmp.cxx
index a5350ec955d5..add628e2e282 100644
--- a/vcl/win/source/gdi/salbmp.cxx
+++ b/vcl/win/source/gdi/salbmp.cxx
@@ -313,42 +313,52 @@ HGLOBAL WinSalBitmap::ImplCreateDIB( const Size& rSize, sal_uInt16 nBits, const
 
     HGLOBAL hDIB = 0;
 
-    if ( rSize.Width() && rSize.Height() )
+    if( rSize.Width() <= 0 || rSize.Height() <= 0 )
+        return hDIB;
+
+    // calculate bitmap size in Bytes
+    const sal_uLong nAlignedWidth4Bytes = AlignedWidth4Bytes( nBits * rSize.Width() );
+    const sal_uLong nImageSize = nAlignedWidth4Bytes * rSize.Height();
+    bool bOverflow = (nImageSize / nAlignedWidth4Bytes) != rSize.Height();
+    if( bOverflow )
+        return hDIB;
+
+    // allocate bitmap memory including header and palette
+    const sal_uInt16 nColors = (nBits <= 8) ? (1 << nBits) : 0;
+    const sal_uLong nHeaderSize = sizeof( BITMAPINFOHEADER ) + nColors * sizeof( RGBQUAD );
+    bOverflow = (nHeaderSize + nImageSize) < nImageSize;
+    if( bOverflow )
+        return hDIB;
+
+    hDIB = GlobalAlloc( GHND, nHeaderSize + nImageSize );
+    if( !hDIB )
+        return hDIB;
+
+    PBITMAPINFO pBI = static_cast<PBITMAPINFO>( GlobalLock( hDIB ) );
+    PBITMAPINFOHEADER pBIH = static_cast<PBITMAPINFOHEADER>( pBI );
+
+    pBIH->biSize = sizeof( BITMAPINFOHEADER );
+    pBIH->biWidth = rSize.Width();
+    pBIH->biHeight = rSize.Height();
+    pBIH->biPlanes = 1;
+    pBIH->biBitCount = nBits;
+    pBIH->biCompression = BI_RGB;
+    pBIH->biSizeImage = nImageSize;
+    pBIH->biXPelsPerMeter = 0;
+    pBIH->biYPelsPerMeter = 0;
+    pBIH->biClrUsed = 0;
+    pBIH->biClrImportant = 0;
+
+    if( nColors )
     {
-        const sal_uLong     nImageSize = AlignedWidth4Bytes( nBits * rSize.Width() ) * rSize.Height();
-        const sal_uInt16    nColors = ( nBits <= 8 ) ? ( 1 << nBits ) : 0;
-
-        hDIB = GlobalAlloc( GHND, sizeof( BITMAPINFOHEADER ) + nColors * sizeof( RGBQUAD ) + nImageSize );
-
-        if( hDIB )
-        {
-            PBITMAPINFO         pBI = (PBITMAPINFO) GlobalLock( hDIB );
-            PBITMAPINFOHEADER   pBIH = (PBITMAPINFOHEADER) pBI;
-
-            pBIH->biSize = sizeof( BITMAPINFOHEADER );
-            pBIH->biWidth = rSize.Width();
-            pBIH->biHeight = rSize.Height();
-            pBIH->biPlanes = 1;
-            pBIH->biBitCount = nBits;
-            pBIH->biCompression = BI_RGB;
-            pBIH->biSizeImage = nImageSize;
-            pBIH->biXPelsPerMeter = 0;
-            pBIH->biYPelsPerMeter = 0;
-            pBIH->biClrUsed = 0;
-            pBIH->biClrImportant = 0;
-
-            if ( nColors )
-            {
-                const sal_uInt16 nMinCount = Min( nColors, rPal.GetEntryCount() );
-
-                if( nMinCount )
-                    memcpy( pBI->bmiColors, rPal.ImplGetColorBuffer(), nMinCount * sizeof( RGBQUAD ) );
-            }
-
-            GlobalUnlock( hDIB );
-        }
+        // copy the palette entries if any
+        const sal_uInt16 nMinCount = Min( nColors, rPal.GetEntryCount() );
+        if( nMinCount )
+            memcpy( pBI->bmiColors, rPal.ImplGetColorBuffer(), nMinCount * sizeof(RGBQUAD) );
     }
 
+    GlobalUnlock( hDIB );
+
     return hDIB;
 }
 
-- 
cgit