Limit BMP width to avoid overflows
BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as
large as 32, to avoid this overflowing we need width <= 67108863.
BUG=chromium:628559
Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d
Reviewed-on: https://pdfium-review.googlesource.com/2934
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp
index 2b072a4..13525b8 100644
--- a/core/fxcodec/lbmp/fx_bmp.cpp
+++ b/core/fxcodec/lbmp/fx_bmp.cpp
@@ -171,7 +171,8 @@
return 0;
}
}
- if (bmp_ptr->width <= 0 || bmp_ptr->compress_flag > BMP_BITFIELDS) {
+ if (bmp_ptr->width <= 0 || bmp_ptr->width > BMP_MAX_WIDTH ||
+ bmp_ptr->compress_flag > BMP_BITFIELDS) {
bmp_error(bmp_ptr, "The Bmp File Is Corrupt");
return 0;
}
diff --git a/core/fxcodec/lbmp/fx_bmp.h b/core/fxcodec/lbmp/fx_bmp.h
index 27a0f19..b0233d1 100644
--- a/core/fxcodec/lbmp/fx_bmp.h
+++ b/core/fxcodec/lbmp/fx_bmp.h
@@ -33,6 +33,8 @@
#define BMP_BIT_555 0
#define BMP_BIT_565 1
#define BMP_MAX_ERROR_SIZE 256
+// Limit width to (MAXINT32 - 31) / 32
+#define BMP_MAX_WIDTH 67108863
#pragma pack(1)
typedef struct tagBmpFileHeader {
uint16_t bfType;