rdbmp.c: Fix FPE triggered by malformed BMP

In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
when allocating the row buffer, because since BMP files have 32-bit
width and height fields, the value of biWidth can be up to 4294967295.
Specifically, high values of biWidth could cause the samplesperrow
argument in alloc_sarray() to wrap around to 0, triggering a division by
zero error at line 460 in jmemmgr.c, or to wrap around to a small
number, likely triggering a buffer overflow.

This fix is not documented in the change log for this branch, because
the bug was exposed using the tjLoadImage() function in the 2.0.x
branch.  However, it is posited that the issue could be triggered using
TJBench in this branch.

diff --git a/rdbmp.c b/rdbmp.c
index eaa708645fe065a5be257ceb0c4d45878b3003f5..6b73f7c07a206fc02fc59e9d020ee7cb51f5aa4a 100644 (file)
--- a/rdbmp.c
+++ b/rdbmp.c
@@ -6,7 +6,7 @@
  * Modified 2009-2010 by Guido Vollbeding.
  * libjpeg-turbo Modifications:
  * Modified 2011 by Siarhei Siamashka.
- * Copyright (C) 2015, D. R. Commander.
+ * Copyright (C) 2015, 2018, D. R. Commander.
  * For conditions of distribution and use, see the accompanying README.ijg
  * file.
  *
@@ -434,6 +434,11 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
     progress->total_extra_passes++; /* count file input as separate pass */
   }
 
+  /* Ensure that biWidth * 3 doesn't exceed the maximum value of the
+     JDIMENSION type.  This is only a danger with BMP files, since their width
+     and height fields are 32-bit integers. */
+  if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL)
+    ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
   /* Allocate one-row buffer for returned data */
   source->pub.buffer = (*cinfo->mem->alloc_sarray)
     ((j_common_ptr) cinfo, JPOOL_IMAGE,