From 3522b43b2fe7126fa9c437aad02eb88dfc4dd38c Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Tue, 7 Mar 2017 11:08:19 -0500 Subject: Limit BMP width to avoid overflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as large as 32, to avoid this overflowing we need width <= 67108863. BUG=chromium:628559 Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d Reviewed-on: https://pdfium-review.googlesource.com/2934 Commit-Queue: Nicolás Peña Reviewed-by: dsinclair --- core/fxcodec/lbmp/fx_bmp.cpp | 3 ++- core/fxcodec/lbmp/fx_bmp.h | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp index 2b072a4a0c..13525b807d 100644 --- a/core/fxcodec/lbmp/fx_bmp.cpp +++ b/core/fxcodec/lbmp/fx_bmp.cpp @@ -171,7 +171,8 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) { return 0; } } - if (bmp_ptr->width <= 0 || bmp_ptr->compress_flag > BMP_BITFIELDS) { + if (bmp_ptr->width <= 0 || bmp_ptr->width > BMP_MAX_WIDTH || + bmp_ptr->compress_flag > BMP_BITFIELDS) { bmp_error(bmp_ptr, "The Bmp File Is Corrupt"); return 0; } diff --git a/core/fxcodec/lbmp/fx_bmp.h b/core/fxcodec/lbmp/fx_bmp.h index 27a0f19970..b0233d1ef0 100644 --- a/core/fxcodec/lbmp/fx_bmp.h +++ b/core/fxcodec/lbmp/fx_bmp.h @@ -33,6 +33,8 @@ #define BMP_BIT_555 0 #define BMP_BIT_565 1 #define BMP_MAX_ERROR_SIZE 256 +// Limit width to (MAXINT32 - 31) / 32 +#define BMP_MAX_WIDTH 67108863 #pragma pack(1) typedef struct tagBmpFileHeader { uint16_t bfType; -- cgit v1.2.3