Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added basic BMP detection & extraction #822

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Added basic BMP detection & extraction #822

wants to merge 3 commits into from
+211 −1

Conversation

0xda568
Copy link

@0xda568 0xda568 commented Feb 2, 2025
edited
Loading

This pull request adds basic support for detecting and extracting BMP (Bitmap) images as specified here:
https://learn.microsoft.com/en-us/windows/win32/gdi/bitmap-header-types

It supports bitmaps with the following DIB headers:

  • BITMAPCOREHEADER
  • BITMAPINFOHEADER
  • BITMAPV4HEADER
  • BITMAPV5HEADER

The magic value of bitmaps is "BM", so parsing and validation gets triggered quite often. To prevent a major performance impact, I tried to keep the validation as simple as possible:

  1. The first header is used to perform boundary checks, which are the majority of the validation.

  2. The size of the second header, which can be, if valid, on of the DIB headers above, is then checked. This is the recommended way of determining the type of the Header, as mentioned in the Microsoft documentation:

"The number of bytes required by the structure. Applications should use this member to determine which bitmap information header structure is being used."

Testing

To test it, I used a Lenovo BIOS image from a project I am working on which contains bitmaps and a lot of occurrences of "BM". I trimmed the image down to the part that contains the bitmaps and added it as a unit test:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL                            HEXADECIMAL                        DESCRIPTION
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
5753556                            0x57CAD4                           BMP image, total size: 270056
6093612                            0x5CFB2C                           BMP image, total size: 33236
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

As a false positive, I modified the BIOS image so that the DIB header has an invalid size:

Valid bitmap with 40 (0x28) byte DIB header:
image

Invalid bitmap with 0x42 byte DIB header:
image

The invalid image did not get detected:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL                            HEXADECIMAL                        DESCRIPTION
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
5753556                            0x57CAD4                           BMP image, total size: 270056
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks!

@0xda568 0xda568 changed the title Added basic BMP detection Added basic BMP detection & extraction Feb 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@0xda568