Attachment #477748 for bug #611390

Lines 330-339 static void DecodeHeader(guchar *Data, gint Bytes, Link Here

(-)a/gdk-pixbuf/io-ico.c (-4 / +5 lines)
330	return;	330	return;
331	}	331	}
332		332
333	/* We know how many bytes are in the "header" part. */	333	/* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
334	State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;	334	if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
335
336	if (State->HeaderSize < 0) {
337	g_set_error (error,	335	g_set_error (error,
338	GDK_PIXBUF_ERROR,	336	GDK_PIXBUF_ERROR,
339	GDK_PIXBUF_ERROR_CORRUPT_IMAGE,	337	GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
Lines 341-346 static void DecodeHeader(guchar *Data, gint Bytes, Link Here
341	return;	339	return;
342	}	340	}
343		341
		342	/* We know how many bytes are in the "header" part. */
		343	State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
		344
344	if (State->HeaderSize>State->BytesInHeaderBuf) {	345	if (State->HeaderSize>State->BytesInHeaderBuf) {
345	guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);	346	guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
346	if (!tmp) {	347	if (!tmp) {

Return to bug 611390