diff options
author | dsinclair <dsinclair@chromium.org> | 2016-08-02 12:36:07 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-02 12:36:07 -0700 |
commit | 0a7552ffa04bfb0c0523bd9c88e55e82842f53a8 (patch) | |
tree | 8616cd4ce984a28c97c292eca7a079e626faefbd /core/fxcodec/lbmp/fx_bmp.cpp | |
parent | b2e63373054f0f1c3dbcdfa5e75acf2831b113f6 (diff) | |
download | pdfium-0a7552ffa04bfb0c0523bd9c88e55e82842f53a8.tar.xz |
Verify row bytes before alloc in BMP codec.
If the out_row_bytes is negative the alloc will fail. Verify the size before
alloc and bail if it's negative.
BUG=633381
Review-Url: https://codereview.chromium.org/2202283003
Diffstat (limited to 'core/fxcodec/lbmp/fx_bmp.cpp')
-rw-r--r-- | core/fxcodec/lbmp/fx_bmp.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp index dcf1ee11f9..b7f20666d8 100644 --- a/core/fxcodec/lbmp/fx_bmp.cpp +++ b/core/fxcodec/lbmp/fx_bmp.cpp @@ -213,6 +213,12 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) { break; } FX_Free(bmp_ptr->out_row_buffer); + + if (bmp_ptr->out_row_bytes <= 0) { + bmp_error(bmp_ptr, "The Bmp File Is Corrupt"); + return 0; + } + bmp_ptr->out_row_buffer = FX_Alloc(uint8_t, bmp_ptr->out_row_bytes); FXSYS_memset(bmp_ptr->out_row_buffer, 0, bmp_ptr->out_row_bytes); bmp_save_decoding_status(bmp_ptr, BMP_D_STATUS_PAL); |