From 0a7552ffa04bfb0c0523bd9c88e55e82842f53a8 Mon Sep 17 00:00:00 2001
From: dsinclair <dsinclair@chromium.org>
Date: Tue, 2 Aug 2016 12:36:07 -0700
Subject: Verify row bytes before alloc in BMP codec.

If the out_row_bytes is negative the alloc will fail. Verify the size before
alloc and bail if it's negative.

BUG=633381

Review-Url: https://codereview.chromium.org/2202283003
---
 core/fxcodec/lbmp/fx_bmp.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp
index dcf1ee11f9..b7f20666d8 100644
--- a/core/fxcodec/lbmp/fx_bmp.cpp
+++ b/core/fxcodec/lbmp/fx_bmp.cpp
@@ -213,6 +213,12 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) {
         break;
     }
     FX_Free(bmp_ptr->out_row_buffer);
+
+    if (bmp_ptr->out_row_bytes <= 0) {
+      bmp_error(bmp_ptr, "The Bmp File Is Corrupt");
+      return 0;
+    }
+
     bmp_ptr->out_row_buffer = FX_Alloc(uint8_t, bmp_ptr->out_row_bytes);
     FXSYS_memset(bmp_ptr->out_row_buffer, 0, bmp_ptr->out_row_bytes);
     bmp_save_decoding_status(bmp_ptr, BMP_D_STATUS_PAL);
-- 
cgit v1.2.3