Check that there is enough data remaining in source BMP before readingchromium/3152

When reading in a BMP, after processing the header, make sure that
there is enough data remaining in the source before proceeding. If not
signal that the BMP is improperly formatted.

BUG=chromium:738635

Change-Id: I506bc0e6db7dcd4b5984fd91a1f39516320a2037
Reviewed-on: https://pdfium-review.googlesource.com/7280
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>

1 files changed, 7 insertions, 1 deletions

diff --git a/core/fxge/dib/cfx_dibitmap.h b/core/fxge/dib/cfx_dibitmap.h
index df751db3df..2b5555befc 100644
--- a/core/fxge/dib/cfx_dibitmap.h
+++ b/core/fxge/dib/cfx_dibitmap.h
@@ -25,7 +25,7 @@ class CFX_DIBitmap : public CFX_DIBSource {
               int height,
               FXDIB_Format format,
               uint8_t* pBuffer = nullptr,
-              int pitch = 0);
+              uint32_t pitch = 0);
 
   bool Copy(const CFX_RetainPtr<CFX_DIBSource>& pSrc);
 
@@ -96,6 +96,12 @@ class CFX_DIBitmap : public CFX_DIBSource {
 
   bool ConvertColorScale(uint32_t forecolor, uint32_t backcolor);
 
+  static bool CalculatePitchAndSize(int height,
+                                    int width,
+                                    FXDIB_Format format,
+                                    uint32_t* pitch,
+                                    uint32_t* size);
+
 #if defined _SKIA_SUPPORT_ || _SKIA_SUPPORT_PATHS_
   void PreMultiply();
 #endif