summaryrefslogtreecommitdiff
path: root/core/fxcodec/lbmp/fx_bmp.h
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-03-07 11:08:19 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-03-07 16:35:45 +0000
commit3522b43b2fe7126fa9c437aad02eb88dfc4dd38c (patch)
treee6df922dc813c5179e632d86af72e842579af7eb /core/fxcodec/lbmp/fx_bmp.h
parentfc9b9880c79bd9e7864c009aad48c9b27bb352a0 (diff)
downloadpdfium-3522b43b2fe7126fa9c437aad02eb88dfc4dd38c.tar.xz
Limit BMP width to avoid overflows
BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as large as 32, to avoid this overflowing we need width <= 67108863. BUG=chromium:628559 Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d Reviewed-on: https://pdfium-review.googlesource.com/2934 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fxcodec/lbmp/fx_bmp.h')
-rw-r--r--core/fxcodec/lbmp/fx_bmp.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/core/fxcodec/lbmp/fx_bmp.h b/core/fxcodec/lbmp/fx_bmp.h
index 27a0f19970..b0233d1ef0 100644
--- a/core/fxcodec/lbmp/fx_bmp.h
+++ b/core/fxcodec/lbmp/fx_bmp.h
@@ -33,6 +33,8 @@
#define BMP_BIT_555 0
#define BMP_BIT_565 1
#define BMP_MAX_ERROR_SIZE 256
+// Limit width to (MAXINT32 - 31) / 32
+#define BMP_MAX_WIDTH 67108863
#pragma pack(1)
typedef struct tagBmpFileHeader {
uint16_t bfType;