Check for min int in BMP header

Bug: os-fuzz:6288

Negating it is undefined, so don't try.

Change-Id: I055520b8036dd8b355e744114717e08d76206bc1
Reviewed-on: https://skia-review.googlesource.com/107062
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Leon Scroggins <scroggo@google.com>

3 files changed, 7 insertions, 1 deletions

diff --git a/resources/invalid_images/osfuzz6288.bmp b/resources/invalid_images/osfuzz6288.bmp
new file mode 100644
index 0000000000..fd6e0b8aa7
--- /dev/null
+++ b/resources/invalid_images/osfuzz6288.bmp
diff --git a/src/codec/SkBmpCodec.cpp b/src/codec/SkBmpCodec.cpp
index d97dff0971..7dd49a51e3 100644
--- a/src/codec/SkBmpCodec.cpp
+++ b/src/codec/SkBmpCodec.cpp
@@ -268,6 +268,11 @@ SkCodec::Result SkBmpCodec::ReadHeader(SkStream* stream, bool inIco,
     // Check for valid dimensions from header
     SkCodec::SkScanlineOrder rowOrder = SkCodec::kBottomUp_SkScanlineOrder;
     if (height < 0) {
+        // We can't negate INT32_MIN.
+        if (height == INT32_MIN) {
+            return kInvalidInput;
+        }
+
         height = -height;
         rowOrder = SkCodec::kTopDown_SkScanlineOrder;
     }
diff --git a/tests/CodecTest.cpp b/tests/CodecTest.cpp
index 8172751cf6..290686fa37 100644
--- a/tests/CodecTest.cpp
+++ b/tests/CodecTest.cpp
@@ -623,7 +623,7 @@ DEF_TEST(Codec_Dimensions, r) {
 static void test_invalid(skiatest::Reporter* r, const char path[]) {
     auto data = GetResourceAsData(path);
     if (!data) {
-        ERRORF(r, "Failed to get resources %s", path);
+        ERRORF(r, "Failed to get resource %s", path);
         return;
     }
 
@@ -655,6 +655,7 @@ DEF_TEST(Codec_Empty, r) {
 #endif
     test_invalid(r, "invalid_images/b37623797.ico");
     test_invalid(r, "invalid_images/osfuzz6295.webp");
+    test_invalid(r, "invalid_images/osfuzz6288.bmp");
 }
 
 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED