vcl/source/filter/png/PngImageReader.cxx | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 20e05507fa2d7d9cec485d14f382920edd6f2528
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Thu Jun 15 21:29:49 2023 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Fri Jun 16 09:43:16 2023 +0200
ofz#59854 Null-dereference WRITE
Change-Id: Iedbf21248b7d75474ea325905569d192360380f2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/153155
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/vcl/source/filter/png/PngImageReader.cxx
b/vcl/source/filter/png/PngImageReader.cxx
index 7e3fdbe44d71..a04344b4afe6 100644
--- a/vcl/source/filter/png/PngImageReader.cxx
+++ b/vcl/source/filter/png/PngImageReader.cxx
@@ -164,8 +164,11 @@ int handle_unknown_chunk(png_structp png,
png_unknown_chunkp chunk)
}
else if (sName == "fdAT")
{
- std::unique_ptr<fdATChunk> aChunk = std::make_unique<fdATChunk>();
size_t nDataSize = chunk->size;
+ if (nDataSize < 4)
+ return -1;
+
+ std::unique_ptr<fdATChunk> aChunk = std::make_unique<fdATChunk>();
aChunk->frame_data.resize(nDataSize);
// Replace sequence number with the IDAT signature
sal_uInt32 nIDATSwapped = OSL_SWAPDWORD(PNG_IDAT_SIGNATURE);
