diff options
| -rw-r--r-- | core/fxcodec/lbmp/fx_bmp.cpp | 3 | ||||
| -rw-r--r-- | core/fxcodec/lbmp/fx_bmp.h | 2 |
2 files changed, 4 insertions, 1 deletions
diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp index 2b072a4a0c..13525b807d 100644 --- a/core/fxcodec/lbmp/fx_bmp.cpp +++ b/core/fxcodec/lbmp/fx_bmp.cpp @@ -171,7 +171,8 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) { return 0; } } - if (bmp_ptr->width <= 0 || bmp_ptr->compress_flag > BMP_BITFIELDS) { + if (bmp_ptr->width <= 0 || bmp_ptr->width > BMP_MAX_WIDTH || + bmp_ptr->compress_flag > BMP_BITFIELDS) { bmp_error(bmp_ptr, "The Bmp File Is Corrupt"); return 0; } diff --git a/core/fxcodec/lbmp/fx_bmp.h b/core/fxcodec/lbmp/fx_bmp.h index 27a0f19970..b0233d1ef0 100644 --- a/core/fxcodec/lbmp/fx_bmp.h +++ b/core/fxcodec/lbmp/fx_bmp.h @@ -33,6 +33,8 @@ #define BMP_BIT_555 0 #define BMP_BIT_565 1 #define BMP_MAX_ERROR_SIZE 256 +// Limit width to (MAXINT32 - 31) / 32 +#define BMP_MAX_WIDTH 67108863 #pragma pack(1) typedef struct tagBmpFileHeader { uint16_t bfType; |