From 3522b43b2fe7126fa9c437aad02eb88dfc4dd38c Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Tue, 7 Mar 2017 11:08:19 -0500
Subject: Limit BMP width to avoid overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as
large as 32, to avoid this overflowing we need width <= 67108863.

BUG=chromium:628559

Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d
Reviewed-on: https://pdfium-review.googlesource.com/2934
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fxcodec/lbmp/fx_bmp.cpp | 3 ++-
 core/fxcodec/lbmp/fx_bmp.h   | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

(limited to 'core/fxcodec')

diff --git a/core/fxcodec/lbmp/fx_bmp.cpp b/core/fxcodec/lbmp/fx_bmp.cpp
index 2b072a4a0c..13525b807d 100644
--- a/core/fxcodec/lbmp/fx_bmp.cpp
+++ b/core/fxcodec/lbmp/fx_bmp.cpp
@@ -171,7 +171,8 @@ int32_t bmp_read_header(bmp_decompress_struct_p bmp_ptr) {
         return 0;
       }
     }
-    if (bmp_ptr->width <= 0 || bmp_ptr->compress_flag > BMP_BITFIELDS) {
+    if (bmp_ptr->width <= 0 || bmp_ptr->width > BMP_MAX_WIDTH ||
+        bmp_ptr->compress_flag > BMP_BITFIELDS) {
       bmp_error(bmp_ptr, "The Bmp File Is Corrupt");
       return 0;
     }
diff --git a/core/fxcodec/lbmp/fx_bmp.h b/core/fxcodec/lbmp/fx_bmp.h
index 27a0f19970..b0233d1ef0 100644
--- a/core/fxcodec/lbmp/fx_bmp.h
+++ b/core/fxcodec/lbmp/fx_bmp.h
@@ -33,6 +33,8 @@
 #define BMP_BIT_555 0
 #define BMP_BIT_565 1
 #define BMP_MAX_ERROR_SIZE 256
+// Limit width to (MAXINT32 - 31) / 32
+#define BMP_MAX_WIDTH 67108863
 #pragma pack(1)
 typedef struct tagBmpFileHeader {
   uint16_t bfType;
-- 
cgit v1.2.3