summaryrefslogtreecommitdiff
path: root/core/fxcodec
diff options
context:
space:
mode:
authordsinclair <dsinclair@chromium.org>2016-08-02 12:36:07 -0700
committerCommit bot <commit-bot@chromium.org>2016-08-02 12:36:07 -0700
commit0a7552ffa04bfb0c0523bd9c88e55e82842f53a8 (patch)
tree8616cd4ce984a28c97c292eca7a079e626faefbd /core/fxcodec
parentb2e63373054f0f1c3dbcdfa5e75acf2831b113f6 (diff)
downloadpdfium-0a7552ffa04bfb0c0523bd9c88e55e82842f53a8.tar.xz
Verify row bytes before alloc in BMP codec.
If the out_row_bytes is negative the alloc will fail. Verify the size before alloc and bail if it's negative. BUG=633381 Review-Url: https://codereview.chromium.org/2202283003
Diffstat (limited to 'core/fxcodec')
-rw-r--r--core/fxcodec/lbmp/fx_bmp.cpp6
1 files changed, 6 insertions, 0 deletions
diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp
index dcf1ee11f9..b7f20666d8 100644
--- a/core/fxcodec/lbmp/fx_bmp.cpp
+++ b/core/fxcodec/lbmp/fx_bmp.cpp
@@ -213,6 +213,12 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) {
break;
}
FX_Free(bmp_ptr->out_row_buffer);
+
+ if (bmp_ptr->out_row_bytes <= 0) {
+ bmp_error(bmp_ptr, "The Bmp File Is Corrupt");
+ return 0;
+ }
+
bmp_ptr->out_row_buffer = FX_Alloc(uint8_t, bmp_ptr->out_row_bytes);
FXSYS_memset(bmp_ptr->out_row_buffer, 0, bmp_ptr->out_row_bytes);
bmp_save_decoding_status(bmp_ptr, BMP_D_STATUS_PAL);