checkbmi.h

Go to the documentation of this file.

//  Copyright (c) 1992 - 1997  Microsoft Corporation.  All Rights Reserved.
 
#ifndef _CHECKBMI_H_
#define _CHECKBMI_H_
 
#ifdef __cplusplus
extern "C" {
#endif
 
//  Helper
__inline BOOL MultiplyCheckOverflow(DWORD a, DWORD b, __deref_out_range(==, a * b) DWORD *pab) {
    *pab = a * b;
    if ((a == 0) || (((*pab) / a) == b)) {
        return TRUE;
    }
    return FALSE;
}
 
 
//  Checks if the fields in a BITMAPINFOHEADER won't generate
//  overlows and buffer overruns
//  This is not a complete check and does not guarantee code using this structure will be secure
//  from attack
//  Bugs this is guarding against:
//        1.  Total structure size calculation overflowing
//        2.  biClrUsed > 256 for 8-bit palettized content
//        3.  Total bitmap size in bytes overflowing
//        4.  biSize < size of the base structure leading to accessessing random memory
//        5.  Total structure size exceeding know size of data
//
 
__success(return != 0) __inline BOOL ValidateBitmapInfoHeader(
    const BITMAPINFOHEADER *pbmi,   // pointer to structure to check
    __out_range(>=, sizeof(BITMAPINFOHEADER)) DWORD cbSize     // size of memory block containing structure
)
{
    DWORD dwWidthInBytes;
    DWORD dwBpp;
    DWORD dwWidthInBits;
    DWORD dwHeight;
    DWORD dwSizeImage;
    DWORD dwClrUsed;
 
    // Reject bad parameters - do the size check first to avoid reading bad memory
    if (cbSize < sizeof(BITMAPINFOHEADER) ||
        pbmi->biSize < sizeof(BITMAPINFOHEADER) ||
        pbmi->biSize > 4096) {
        return FALSE;
    }
 
    //  Reject 0 size
    if (pbmi->biWidth == 0 || pbmi->biHeight == 0) {
        return FALSE;
    }
 
    // Use bpp of 200 for validating against further overflows if not set for compressed format
    dwBpp = 200;
 
    if (pbmi->biBitCount > dwBpp) {
        return FALSE;
    }
 
    // Strictly speaking abs can overflow so cast explicitly to DWORD
    dwHeight = (DWORD)abs(pbmi->biHeight);
 
    if (!MultiplyCheckOverflow(dwBpp, (DWORD)pbmi->biWidth, &dwWidthInBits)) {
        return FALSE;
    }
 
    //  Compute correct width in bytes - rounding up to 4 bytes
    dwWidthInBytes = (dwWidthInBits / 8 + 3) & ~3;
 
    if (!MultiplyCheckOverflow(dwWidthInBytes, dwHeight, &dwSizeImage)) {
        return FALSE;
    }
 
    // Fail if total size is 0 - this catches indivual quantities being 0
    // Also don't allow huge values > 1GB which might cause arithmetic
    // errors for users
    if (dwSizeImage > 0x40000000 ||
        pbmi->biSizeImage > 0x40000000) {
        return FALSE;
    }
 
    //  Fail if biClrUsed looks bad
    if (pbmi->biClrUsed > 256) {
        return FALSE;
    }
 
    if (pbmi->biClrUsed == 0 && pbmi->biBitCount <= 8 && pbmi->biBitCount > 0) {
        dwClrUsed = (1 << pbmi->biBitCount);
    } else {
        dwClrUsed = pbmi->biClrUsed;
    }
 
    //  Check total size
    if (cbSize < pbmi->biSize + dwClrUsed * sizeof(RGBQUAD) +
                 (pbmi->biCompression == BI_BITFIELDS ? 3 * sizeof(DWORD) : 0)) {
        return FALSE;
    }
 
    //  If it is RGB validate biSizeImage - lots of code assumes the size is correct
    if (pbmi->biCompression == BI_RGB || pbmi->biCompression == BI_BITFIELDS) {
        if (pbmi->biSizeImage != 0) {
            DWORD dwBits = (DWORD)pbmi->biWidth * (DWORD)pbmi->biBitCount;
            DWORD dwWidthInBytes = ((DWORD)((dwBits+31) & (~31)) / 8);
            DWORD dwTotalSize = (DWORD)abs(pbmi->biHeight) * dwWidthInBytes;
            if (dwTotalSize > pbmi->biSizeImage) {
                return FALSE;
            }
        }
    }
    return TRUE;
}
 
#ifdef __cplusplus
}
#endif
 
#endif // _CHECKBMI_H_