diff options
author | Nicolas Pena <npm@chromium.org> | 2017-03-07 11:08:19 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-03-07 16:35:45 +0000 |
commit | 3522b43b2fe7126fa9c437aad02eb88dfc4dd38c (patch) | |
tree | e6df922dc813c5179e632d86af72e842579af7eb /core/fxcodec/lbmp/fx_bmp.h | |
parent | fc9b9880c79bd9e7864c009aad48c9b27bb352a0 (diff) | |
download | pdfium-3522b43b2fe7126fa9c437aad02eb88dfc4dd38c.tar.xz |
Limit BMP width to avoid overflows
BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as
large as 32, to avoid this overflowing we need width <= 67108863.
BUG=chromium:628559
Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d
Reviewed-on: https://pdfium-review.googlesource.com/2934
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fxcodec/lbmp/fx_bmp.h')
-rw-r--r-- | core/fxcodec/lbmp/fx_bmp.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/core/fxcodec/lbmp/fx_bmp.h b/core/fxcodec/lbmp/fx_bmp.h index 27a0f19970..b0233d1ef0 100644 --- a/core/fxcodec/lbmp/fx_bmp.h +++ b/core/fxcodec/lbmp/fx_bmp.h @@ -33,6 +33,8 @@ #define BMP_BIT_555 0 #define BMP_BIT_565 1 #define BMP_MAX_ERROR_SIZE 256 +// Limit width to (MAXINT32 - 31) / 32 +#define BMP_MAX_WIDTH 67108863 #pragma pack(1) typedef struct tagBmpFileHeader { uint16_t bfType; |