RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 22:37:35 +00:00
Code Issues Activity Actions

LibGfx: Fix dynamic bitmasks in BMPs

Browse source 
I overlooked a corner case where we might call the built-in ctz() on zero.

Furthermore, the calculation of the shift was wrong and the results were often
unusable.

Both issue were caused by a forgotten 36daeee34f.
This time I made sure to look at bmpsuite_files first, and now they look good.

Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28985
This commit is contained in:
Ben Wiederhake 2021-01-30 01:24:41 +01:00 committed by Andreas Kling
parent 648f153951
commit 4332dfb964
2 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Userland/Libraries/LibGfx/BMPLoader.cpp
View file

@ -368,8 +368,14 @@ static void populate_dib_mask_info_if_needed(BMPLoadingContext& context)
continue;
}
int trailing_zeros = count_trailing_zeroes_32(mask);
int size = count_trailing_zeroes_32(~(mask >> trailing_zeros));
mask_shifts.append(trailing_zeros - 8);
// If mask is exactly `0xFFFFFFFF`, then we might try to count the trailing zeros of 0x00000000 here, so we need the safe version:
int size = count_trailing_zeroes_32_safe(~(mask >> trailing_zeros));
if (size > 8) {
// Drop lowest bits if mask is longer than 8 bits.
trailing_zeros += size - 8;
size = 8;
}
mask_shifts.append(size + trailing_zeros - 8);
mask_sizes.append(size);
}
}