Check for min int in BMP header
Bug: os-fuzz:6288
Negating it is undefined, so don't try.
Change-Id: I055520b8036dd8b355e744114717e08d76206bc1
Reviewed-on: https://skia-review.googlesource.com/107062
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>
diff --git a/resources/invalid_images/osfuzz6288.bmp b/resources/invalid_images/osfuzz6288.bmp
new file mode 100644
index 0000000..fd6e0b8
--- /dev/null
+++ b/resources/invalid_images/osfuzz6288.bmp
Binary files differ
diff --git a/src/codec/SkBmpCodec.cpp b/src/codec/SkBmpCodec.cpp
index d97dff0..7dd49a5 100644
--- a/src/codec/SkBmpCodec.cpp
+++ b/src/codec/SkBmpCodec.cpp
@@ -268,6 +268,11 @@
// Check for valid dimensions from header
SkCodec::SkScanlineOrder rowOrder = SkCodec::kBottomUp_SkScanlineOrder;
if (height < 0) {
+ // We can't negate INT32_MIN.
+ if (height == INT32_MIN) {
+ return kInvalidInput;
+ }
+
height = -height;
rowOrder = SkCodec::kTopDown_SkScanlineOrder;
}
diff --git a/tests/CodecTest.cpp b/tests/CodecTest.cpp
index 8172751..290686f 100644
--- a/tests/CodecTest.cpp
+++ b/tests/CodecTest.cpp
@@ -623,7 +623,7 @@
static void test_invalid(skiatest::Reporter* r, const char path[]) {
auto data = GetResourceAsData(path);
if (!data) {
- ERRORF(r, "Failed to get resources %s", path);
+ ERRORF(r, "Failed to get resource %s", path);
return;
}
@@ -655,6 +655,7 @@
#endif
test_invalid(r, "invalid_images/b37623797.ico");
test_invalid(r, "invalid_images/osfuzz6295.webp");
+ test_invalid(r, "invalid_images/osfuzz6288.bmp");
}
#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
