From 768915bbcdf04bb42744328dc3e6c102afe53eb6 Mon Sep 17 00:00:00 2001 From: Ben Wiederhake Date: Sat, 20 Nov 2021 16:17:06 +0100 Subject: [PATCH] LibGUI: Make clipboard bitmap parsing more robust In particular, malicious programs used to be able to set arbitrary values as "format", which could cause UB (most likely a crash). Furthermore, we do not transmit palette data, so an application sending an indexed bitmap cannot possibly expect the other side to receive a useful image. Therefore, we refuse to build a bitmap. --- Userland/Libraries/LibGUI/Clipboard.cpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibGUI/Clipboard.cpp b/Userland/Libraries/LibGUI/Clipboard.cpp index ff1f5e5e0f..a374319566 100644 --- a/Userland/Libraries/LibGUI/Clipboard.cpp +++ b/Userland/Libraries/LibGUI/Clipboard.cpp @@ -89,9 +89,17 @@ RefPtr Clipboard::DataAndType::as_bitmap() const if (!format.has_value() || format.value() == 0) return nullptr; + if (!Gfx::is_valid_bitmap_format(format.value())) + return nullptr; + auto bitmap_format = (Gfx::BitmapFormat)format.value(); + // We cannot handle indexed bitmaps, as the palette would be lost. + // Thankfully, everything that copies bitmaps also transforms them to RGB beforehand. + if (Gfx::determine_storage_format(bitmap_format) == Gfx::StorageFormat::Indexed8) + return nullptr; + // We won't actually write to the clipping_bitmap, so casting away the const is okay. auto clipping_data = const_cast(data.data()); - auto clipping_bitmap_or_error = Gfx::Bitmap::try_create_wrapper((Gfx::BitmapFormat)format.value(), { (int)width.value(), (int)height.value() }, scale.value(), pitch.value(), clipping_data); + auto clipping_bitmap_or_error = Gfx::Bitmap::try_create_wrapper(bitmap_format, { (int)width.value(), (int)height.value() }, scale.value(), pitch.value(), clipping_data); if (clipping_bitmap_or_error.is_error()) return nullptr; auto clipping_bitmap = clipping_bitmap_or_error.release_value_but_fixme_should_propagate_errors();