vcl/source/filter/png/pngread.cxx | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
New commits:
commit 127bfab61c297df06fd8e71e709bc4362cb89d21
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Dec 22 10:18:36 2020 +0000
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Tue Dec 22 13:56:35 2020 +0100
oss-fuzz: pngfuzzer doesn't pass sanity check
Step #5: #6 0x63cceaf in __cxa_throw (/tmp/not-out/pngfuzzer+0x63cceaf)
Step #5: #7 0x4f1999 in SvStream::ReadUInt32(unsigned int&)
(/tmp/not-out/pngfuzzer+0x4f1999)
Step #5: #8 0x6a8cd7 in vcl::PNGReaderImpl::PNGReaderImpl(SvStream&)
(/tmp/not-out/pngfuzzer+0x6a8cd7)
Step #5: #9 0x6b545f in vcl::PNGReader::PNGReader(SvStream&)
(/tmp/not-out/pngfuzzer+0x6b545f)
Change-Id: Ibf062f8d7dfbbab7bf57be7d4e837c3a8934a40e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108154
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/vcl/source/filter/png/pngread.cxx
b/vcl/source/filter/png/pngread.cxx
index 5a4e113867c9..cda1c3e9e4b5 100644
--- a/vcl/source/filter/png/pngread.cxx
+++ b/vcl/source/filter/png/pngread.cxx
@@ -228,11 +228,16 @@ PNGReaderImpl::PNGReaderImpl( SvStream& rPNGStream )
mnStreamSize = mrPNGStream.TellEnd();
// check the PNG header magic
- sal_uInt32 nDummy = 0;
- mrPNGStream.ReadUInt32( nDummy );
- mbStatus = (nDummy == 0x89504e47);
- mrPNGStream.ReadUInt32( nDummy );
- mbStatus = (nDummy == 0x0d0a1a0a) && mbStatus;
+ if (mnStreamSize < 8)
+ mbStatus = false;
+ else
+ {
+ sal_uInt32 nDummy = 0;
+ mrPNGStream.ReadUInt32( nDummy );
+ mbStatus = (nDummy == 0x89504e47);
+ mrPNGStream.ReadUInt32( nDummy );
+ mbStatus = (nDummy == 0x0d0a1a0a) && mbStatus;
+ }
mnPreviewShift = 0;
mnPreviewMask = (1 << mnPreviewShift) - 1;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
