From 84c34bec5a041f861feb13fed35f89c97af15a3a Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@cpan.org>
Date: Sun, 6 Feb 2022 19:33:26 +0100
Subject: [PATCH] bmp: better bounds-checks for wrong header_size

Fixes fuzzed GH #354 (Illegal DWG bmp preview)
---
 src/dwg.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/dwg.c b/src/dwg.c
index 72142e34ed..a6a959adf3 100644
--- a/src/dwg.c
+++ b/src/dwg.c
@@ -582,10 +582,11 @@ dwg_bmp (const Dwg_Data *restrict dwg, BITCODE_RL *restrict size)
   dat.byte += header_size;
   if (*size)
     LOG_TRACE ("BMP offset: %lu\n", dat.byte);
-  if (dat.byte > dat.size)
+  if (dat.byte + *size > dat.size)
     {
       *size = 0;
-      LOG_ERROR ("Preview overflow");
+      LOG_ERROR ("Preview overflow %lu + " FORMAT_RL " > %lu",
+                 dat.byte, *size, dat.size);
       return NULL;
     }