summaryrefslogtreecommitdiff
path: root/core/fxcodec/lbmp
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-01-16 13:09:41 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-01-16 21:56:56 +0000
commitff920ae3e181de9275f1d4c9b4b54fe2a7a54560 (patch)
treef19c447001295300d6af2928b32c18d6dc1045e0 /core/fxcodec/lbmp
parent6efd0d7464e1f02ef3cd4f1abe5c6f8e5283fbbb (diff)
downloadpdfium-ff920ae3e181de9275f1d4c9b4b54fe2a7a54560.tar.xz
Check blue,green,red bit count in bmp_decode_rgb
If the values are going to overflow, return error code, which seems to be 2. BUG=668822 Change-Id: I89b3fcf277e98d65b8c3438e6d9bb84fe62a8de9 Reviewed-on: https://pdfium-review.googlesource.com/2213 Commit-Queue: Nicolás Peña <npm@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fxcodec/lbmp')
-rw-r--r--core/fxcodec/lbmp/fx_bmp.cpp2
1 files changed, 2 insertions, 0 deletions
diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp
index fb64b36560..2b072a4a0c 100644
--- a/core/fxcodec/lbmp/fx_bmp.cpp
+++ b/core/fxcodec/lbmp/fx_bmp.cpp
@@ -358,6 +358,8 @@ int32_t bmp_decode_rgb(bmp_decompress_struct_p bmp_ptr) {
}
green_bits += blue_bits;
red_bits += green_bits;
+ if (blue_bits > 8 || green_bits < 8 || red_bits < 8)
+ return 2;
blue_bits = 8 - blue_bits;
green_bits -= 8;
red_bits -= 8;