[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

Thu, 03 Feb 2022 03:00:16 -0800 

 lotuswordpro/source/filter/lwpdrawobj.cxx |   65 ++++++------------------------
 1 file changed, 15 insertions(+), 50 deletions(-)

New commits:
commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e
Author:     zhutyra <zhutyra>
AuthorDate: Tue Feb 1 14:07:26 2022 +0000
Commit:     Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Feb 3 11:59:31 2022 +0100

    ensure bounds checking
    
    LIBREOFFICE-SBQ5TJRS
    
    Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@allotropia.de>

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index ce3f5249786d..11bc3bcb5a98 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1369,21 +1369,20 @@ void LwpDrawBitmap::Read()
     m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
     m_pStream->ReadUInt16( m_aBmpRec.nRotation );
 
+    // 20 == length of draw-specific fields.
     if (m_aObjHeader.nRecLen < 20)
         throw BadRead();
 
-    // 20 == length of draw-specific fields.
-    // 14 == length of bmp file header.
-    m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+    sal_uInt64 nBmpPos = m_pStream->Tell();
+    sal_uInt64 nBmpLen =
+        std::min<sal_uInt64>(m_aObjHeader.nRecLen - 20, 
m_pStream->remainingSize());
 
     BmpInfoHeader2 aInfoHeader2;
     m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
 
-    if (!m_pStream->good())
+    if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
         throw BadRead();
 
-    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
     sal_uInt32 N;
     sal_uInt32 rgbTableSize;
 
@@ -1407,7 +1406,7 @@ void LwpDrawBitmap::Read()
             rgbTableSize = 3 * (1 << N);
         }
     }
-    else
+    else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
     {
         m_pStream->ReadUInt32( aInfoHeader2.nWidth );
         m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1426,9 +1425,15 @@ void LwpDrawBitmap::Read()
         {
             rgbTableSize = 4 * (1 << N);
         }
-
+    }
+    else
+    {
+        throw BadRead();
     }
 
+    m_aBmpRec.nFileSize = static_cast<sal_uInt32>(nBmpLen + 14);
+    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
     sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
     m_pImageData[0] = 'B';
     m_pImageData[1] = 'M';
@@ -1445,50 +1450,10 @@ void LwpDrawBitmap::Read()
     m_pImageData[12] = static_cast<sal_uInt8>(nOffBits >> 16);
     m_pImageData[13] = static_cast<sal_uInt8>(nOffBits >> 24);
 
-    sal_uInt32 nDIBRemaining;
     sal_uInt8* pPicData = m_pImageData.get();
-    if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-    {
-        m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen);
-        m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
8);
-        m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
16);
-        m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
24);
-        m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth);
-        m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8);
-        m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nHeight);
-        m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8);
-        m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes);
-        m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8);
-        m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount);
-        m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8);
-
-        nDIBRemaining = m_aBmpRec.nFileSize - 26;
-        pPicData += 26*sizeof(sal_uInt8);
-    }
-    else
-    {
-        m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen);
-        m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
8);
-        m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
16);
-        m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 
24);
-        m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth);
-        m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8);
-        m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 16);
-        m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 24);
-        m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nHeight);
-        m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8);
-        m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 16);
-        m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 24);
-        m_pImageData[26] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes);
-        m_pImageData[27] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8);
-        m_pImageData[28] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount);
-        m_pImageData[29] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8);
-
-        nDIBRemaining = m_aBmpRec.nFileSize - 30;
-        pPicData += 30*sizeof(sal_uInt8);
-    }
 
-    if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+    m_pStream->Seek(nBmpPos);
+    if (nBmpLen != m_pStream->ReadBytes(pPicData + 14, nBmpLen))
         throw BadRead();
 }

Reply via email to