diff options
author | Nicolas Pena <npm@chromium.org> | 2017-03-13 15:09:05 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-03-13 19:59:38 +0000 |
commit | 4ca5ba4dec653aff28d14c9f48715e93e8dfd490 (patch) | |
tree | 47ec9d81160109cd2686ba9a58da101fe39a2d30 /core/fxcodec/lbmp/fx_bmp.cpp | |
parent | 77e2a6c4589dcedb61789beefb1605ba2c0f1aff (diff) | |
download | pdfium-4ca5ba4dec653aff28d14c9f48715e93e8dfd490.tar.xz |
Fix boundary value negation in bmp_read_headerchromium/3041
When the value read is equal to -INT_MIN, we cannot negate it since it will
be out of bounds, so return error in this case.
BUG=chromium:628559
Change-Id: I7e47a71ef0d35cfb2d1fddc0ba644f9aac79ec3f
Reviewed-on: https://pdfium-review.googlesource.com/2965
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'core/fxcodec/lbmp/fx_bmp.cpp')
-rw-r--r-- | core/fxcodec/lbmp/fx_bmp.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp index 13525b807d..6d4fb51fcd 100644 --- a/core/fxcodec/lbmp/fx_bmp.cpp +++ b/core/fxcodec/lbmp/fx_bmp.cpp @@ -7,6 +7,7 @@ #include "core/fxcodec/lbmp/fx_bmp.h" #include <algorithm> +#include <limits> namespace { @@ -129,6 +130,10 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) { bmp_ptr->dpi_y = (int32_t)GetDWord_LSBFirst( (uint8_t*)&bmp_info_header_ptr->biYPelsPerMeter); if (bmp_ptr->height < 0) { + if (bmp_ptr->height == std::numeric_limits<int>::min()) { + bmp_error(bmp_ptr, "Unsupported height"); + return 0; + } bmp_ptr->height = -bmp_ptr->height; bmp_ptr->imgTB_flag = true; } @@ -159,6 +164,10 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) { bmp_ptr->dpi_y = GetDWord_LSBFirst( (uint8_t*)&bmp_info_header_ptr->biYPelsPerMeter); if (bmp_ptr->height < 0) { + if (bmp_ptr->height == std::numeric_limits<int>::min()) { + bmp_error(bmp_ptr, "Unsupported height"); + return 0; + } bmp_ptr->height = -bmp_ptr->height; bmp_ptr->imgTB_flag = true; } |