Limit BMP width to avoid overflows

BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as
large as 32, to avoid this overflowing we need width <= 67108863.

BUG=chromium:628559

Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d
Reviewed-on: https://pdfium-review.googlesource.com/2934
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

2 files changed, 4 insertions, 1 deletions

diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp
index 2b072a4a0c..13525b807d 100644
--- a/core/fxcodec/lbmp/fx_bmp.cpp
+++ b/core/fxcodec/lbmp/fx_bmp.cpp
@@ -171,7 +171,8 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) {
         return 0;
       }
     }
-    if (bmp_ptr->width <= 0 || bmp_ptr->compress_flag > BMP_BITFIELDS) {
+    if (bmp_ptr->width <= 0 || bmp_ptr->width > BMP_MAX_WIDTH ||
+        bmp_ptr->compress_flag > BMP_BITFIELDS) {
       bmp_error(bmp_ptr, "The Bmp File Is Corrupt");
       return 0;
     }
diff --git a/core/fxcodec/lbmp/fx_bmp.h b/core/fxcodec/lbmp/fx_bmp.h
index 27a0f19970..b0233d1ef0 100644
--- a/core/fxcodec/lbmp/fx_bmp.h
+++ b/core/fxcodec/lbmp/fx_bmp.h
@@ -33,6 +33,8 @@
 #define BMP_BIT_555 0
 #define BMP_BIT_565 1
 #define BMP_MAX_ERROR_SIZE 256
+// Limit width to (MAXINT32 - 31) / 32
+#define BMP_MAX_WIDTH 67108863
 #pragma pack(1)
 typedef struct tagBmpFileHeader {
   uint16_t bfType;