bmp: better bounds-checks for wrong header_size

Fixes fuzzed GH #354 (Illegal DWG bmp preview)
LibreDWG · Feb 6, 2022 · 84c34be · 84c34be
1 parent 065a311
commit 84c34be
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/dwg.c b/src/dwg.c
@@ -582,10 +582,11 @@ dwg_bmp (const Dwg_Data *restrict dwg, BITCODE_RL *restrict size)
   dat.byte += header_size;
   if (*size)
     LOG_TRACE ("BMP offset: %lu\n", dat.byte);
-  if (dat.byte > dat.size)
+  if (dat.byte + *size > dat.size)
     {
       *size = 0;
-      LOG_ERROR ("Preview overflow");
+      LOG_ERROR ("Preview overflow %lu + " FORMAT_RL " > %lu",
+                 dat.byte, *size, dat.size);
       return NULL;
     }