Fix integer overflow (-INT_MIN) in BMPImageReader::readInfoHeader

https://bugs.webkit.org/show_bug.cgi?id=259033

Reviewed by Don Olmstead.

Merge: https://chromium.googlesource.com/chromium/src.git/+/cbe3909f4f64e0f00e2eea6898395ece4672c913

For non-Apple platforms, this patch just rejects bitmap in 'redInfoHeader' to
avoid integer overflow.

NOTE: We don't have C++ tests similar to Blink so I am just merging 'change'.

* Source/WebCore/platform/image-decoders/bmp/BMPImageReader.cpp:
(BMPImageReader::processInfoHeader): As above

Canonical link: https://commits.webkit.org/266085@main

Source/WebCore/platform/image-decoders/bmp/BMPImageReader.cpp

@@ -260,6 +260,11 @@ bool BMPImageReader::readInfoHeader()
 
     // Detect top-down BMPs.
     if (m_infoHeader.biHeight < 0) {
+        // We can't negate INT32_MIN below to get a positive int32_t.
+        // isInfoHeaderValid() will reject heights of 1 << 16 or larger anyway,
+        // so just reject this bitmap now.
+        if (m_infoHeader.biHeight == INT32_MIN)
+            return m_parent->setFailed();
         m_isTopDown = true;
         m_infoHeader.biHeight = -m_infoHeader.biHeight;
     }