Limit BMP width to avoid overflows

BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as large as 32, to avoid this overflowing we need width <= 67108863. BUG=chromium:628559 Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d Reviewed-on: https://pdfium-review.googlesource.com/2934 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-03-07 11:08:19 -0500
committer: Chromium commit bot <commit-bot@chromium.org> 2017-03-07 16:35:45 +0000
commit: 3522b43b2fe7126fa9c437aad02eb88dfc4dd38c (patch)
tree: e6df922dc813c5179e632d86af72e842579af7eb /core/fxcodec/lbmp/fx_bmp.cpp
parent: fc9b9880c79bd9e7864c009aad48c9b27bb352a0 (diff)
download: pdfium-3522b43b2fe7126fa9c437aad02eb88dfc4dd38c.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp
index 2b072a4a0c..13525b807d 100644
--- a/core/fxcodec/lbmp/fx_bmp.cpp
+++ b/core/fxcodec/lbmp/fx_bmp.cpp
@@ -171,7 +171,8 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) {
         return 0;
       }
     }
-    if (bmp_ptr->width <= 0 || bmp_ptr->compress_flag > BMP_BITFIELDS) {
+    if (bmp_ptr->width <= 0 || bmp_ptr->width > BMP_MAX_WIDTH ||
+        bmp_ptr->compress_flag > BMP_BITFIELDS) {
       bmp_error(bmp_ptr, "The Bmp File Is Corrupt");
       return 0;
     }
author	Nicolas Pena <npm@chromium.org>	2017-03-07 11:08:19 -0500
committer	Chromium commit bot <commit-bot@chromium.org>	2017-03-07 16:35:45 +0000
commit	3522b43b2fe7126fa9c437aad02eb88dfc4dd38c (patch)
tree	e6df922dc813c5179e632d86af72e842579af7eb /core/fxcodec/lbmp/fx_bmp.cpp
parent	fc9b9880c79bd9e7864c009aad48c9b27bb352a0 (diff)
download	pdfium-3522b43b2fe7126fa9c437aad02eb88dfc4dd38c.tar.xz