Fix boundary value negation in bmp_read_headerchromium/3041

When the value read is equal to -INT_MIN, we cannot negate it since it will
be out of bounds, so return error in this case.

BUG=chromium:628559

Change-Id: I7e47a71ef0d35cfb2d1fddc0ba644f9aac79ec3f
Reviewed-on: https://pdfium-review.googlesource.com/2965
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

1 files changed, 9 insertions, 0 deletions

diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp
index 13525b807d..6d4fb51fcd 100644
--- a/core/fxcodec/lbmp/fx_bmp.cpp
+++ b/core/fxcodec/lbmp/fx_bmp.cpp
@@ -7,6 +7,7 @@
 #include "core/fxcodec/lbmp/fx_bmp.h"
 
 #include <algorithm>
+#include <limits>
 
 namespace {
 
@@ -129,6 +130,10 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) {
         bmp_ptr->dpi_y = (int32_t)GetDWord_LSBFirst(
             (uint8_t*)&bmp_info_header_ptr->biYPelsPerMeter);
         if (bmp_ptr->height < 0) {
+          if (bmp_ptr->height == std::numeric_limits<int>::min()) {
+            bmp_error(bmp_ptr, "Unsupported height");
+            return 0;
+          }
           bmp_ptr->height = -bmp_ptr->height;
           bmp_ptr->imgTB_flag = true;
         }
@@ -159,6 +164,10 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) {
           bmp_ptr->dpi_y = GetDWord_LSBFirst(
               (uint8_t*)&bmp_info_header_ptr->biYPelsPerMeter);
           if (bmp_ptr->height < 0) {
+            if (bmp_ptr->height == std::numeric_limits<int>::min()) {
+              bmp_error(bmp_ptr, "Unsupported height");
+              return 0;
+            }
             bmp_ptr->height = -bmp_ptr->height;
             bmp_ptr->imgTB_flag = true;
           }