From ff920ae3e181de9275f1d4c9b4b54fe2a7a54560 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Mon, 16 Jan 2017 13:09:41 -0500 Subject: Check blue,green,red bit count in bmp_decode_rgb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the values are going to overflow, return error code, which seems to be 2. BUG=668822 Change-Id: I89b3fcf277e98d65b8c3438e6d9bb84fe62a8de9 Reviewed-on: https://pdfium-review.googlesource.com/2213 Commit-Queue: Nicolás Peña Commit-Queue: dsinclair Reviewed-by: dsinclair --- core/fxcodec/lbmp/fx_bmp.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp index fb64b36560..2b072a4a0c 100644 --- a/core/fxcodec/lbmp/fx_bmp.cpp +++ b/core/fxcodec/lbmp/fx_bmp.cpp @@ -358,6 +358,8 @@ int32_t bmp_decode_rgb(bmp_decompress_struct_p bmp_ptr) { } green_bits += blue_bits; red_bits += green_bits; + if (blue_bits > 8 || green_bits < 8 || red_bits < 8) + return 2; blue_bits = 8 - blue_bits; green_bits -= 8; red_bits -= 8; -- cgit v1.2.3