From d2e808d74faa874a500aa4b2b2bf32c93faa8924 Mon Sep 17 00:00:00 2001
From: Seoyeon Kim <seoyeon2.kim@samsung.com>
Date: Wed, 2 Aug 2017 10:27:11 +0900
Subject: [PATCH] Fix SVACE issue

- Integer 'rowStride' could be obtained from untrusted source at loader-bmp.cpp:105
- Checked 'infoHeader.width' and 'infoHeader.height' bounds

Change-Id: I5e054565e85b11dc8cdb5a2809955fd75a3c53fb
Signed-off-by: Seoyeon Kim <seoyeon2.kim@samsung.com>
---
 platform-abstractions/tizen/image-loaders/loader-bmp.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/platform-abstractions/tizen/image-loaders/loader-bmp.cpp b/platform-abstractions/tizen/image-loaders/loader-bmp.cpp
index 0ac6748..37f3c26 100644
--- a/platform-abstractions/tizen/image-loaders/loader-bmp.cpp
+++ b/platform-abstractions/tizen/image-loaders/loader-bmp.cpp
@@ -110,6 +110,11 @@ bool LoadBmpHeader(FILE *fp, unsigned int &width, unsigned int &height, BmpFileH
   width = infoHeader.width;
   height = abs(infoHeader.height);
 
+  if( infoHeader.width == 0 )
+  {
+    return false;
+  }
+
   return true;
 }
 
@@ -1254,7 +1259,7 @@ bool LoadBitmapFromBmp( const ImageLoader::Input& input, Integration::Bitmap& bi
     }
     case BMP_RGB4:
     {
-      decodeResult = DecodeRGB4(fp, pixels, infoHeader.width, infoHeader.height, 14 + infoHeader.infoHeaderSize, topDown);
+      decodeResult = DecodeRGB4(fp, pixels, infoHeader.width, abs(infoHeader.height), 14 + infoHeader.infoHeaderSize, topDown);
       break;
     }
     case BMP_RLE4:
-- 
2.7.4