include/svtools/parrtf.hxx | 1
svtools/source/svrtf/parrtf.cxx | 35 +++++++++++++++++++++----------
vcl/source/filter/png/PngImageReader.cxx | 13 +++++++----
3 files changed, 33 insertions(+), 16 deletions(-)
New commits:
commit ec6ddf177af4871b143a5135677af9920f16d567
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Fri Oct 6 16:41:49 2023 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Sat Oct 7 01:16:33 2023 +0200
ofz#63036 Timeout in new png code
Change-Id: I06955f420bfe2faea8b9865c375d4ae364163494
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157661
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/vcl/source/filter/png/PngImageReader.cxx
b/vcl/source/filter/png/PngImageReader.cxx
index 8934c08ccaa9..64ecd2286c14 100644
--- a/vcl/source/filter/png/PngImageReader.cxx
+++ b/vcl/source/filter/png/PngImageReader.cxx
@@ -286,10 +286,12 @@ bool fcTLbeforeIDAT(SvStream& rStream)
comphelper::ScopeGuard aGuard([&rStream, nPos]() { rStream.Seek(nPos); });
// Skip PNG header and IHDR
rStream.SetEndian(SvStreamEndian::BIG);
- rStream.Seek(PNG_SIGNATURE_SIZE + PNG_TYPE_SIZE + PNG_SIZE_SIZE +
PNG_IHDR_SIZE + PNG_CRC_SIZE);
- sal_uInt32 nChunkSize, nChunkType;
- while (rStream.good())
+ if (!checkSeek(rStream, PNG_SIGNATURE_SIZE + PNG_TYPE_SIZE + PNG_SIZE_SIZE
+ PNG_IHDR_SIZE
+ + PNG_CRC_SIZE))
+ return false;
+ do
{
+ sal_uInt32 nChunkSize(0), nChunkType(0);
rStream.ReadUInt32(nChunkSize);
rStream.ReadUInt32(nChunkType);
switch (nChunkType)
@@ -300,11 +302,12 @@ bool fcTLbeforeIDAT(SvStream& rStream)
return false;
default:
{
- rStream.SeekRel(nChunkSize + PNG_CRC_SIZE);
+ if (!checkSeek(rStream, rStream.Tell() + nChunkSize +
PNG_CRC_SIZE))
+ return false;
break;
}
}
- }
+ } while (rStream.good());
return false;
}
commit b4ff0e5fd8e94155cfcb0ab9f9d0ee590f9bee7c
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Fri Oct 6 16:18:47 2023 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Sat Oct 7 01:16:24 2023 +0200
ofz#63032 urp stack too deep
Change-Id: I13496c629e48128e3d916f3033394392bca3524c
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157656
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/include/svtools/parrtf.hxx b/include/svtools/parrtf.hxx
index 136026f56990..980b83c9cbfe 100644
--- a/include/svtools/parrtf.hxx
+++ b/include/svtools/parrtf.hxx
@@ -37,6 +37,7 @@ class SVT_DLLPUBLIC SvRTFParser : public SvParser<int>
{
std::stack< RtfParserState_Impl > aParserStates;
int nOpenBrackets;
+ int nUPRLevel;
rtl_TextEncoding eCodeSet;
sal_uInt8 nUCharOverread;
diff --git a/svtools/source/svrtf/parrtf.cxx b/svtools/source/svrtf/parrtf.cxx
index 42fcc211b264..82d69f7881ac 100644
--- a/svtools/source/svrtf/parrtf.cxx
+++ b/svtools/source/svrtf/parrtf.cxx
@@ -39,6 +39,7 @@ const int MAX_STRING_LEN = 1024;
SvRTFParser::SvRTFParser( SvStream& rIn, sal_uInt8 nStackSize )
: SvParser<int>( rIn, nStackSize )
, nOpenBrackets(0)
+ , nUPRLevel(0)
, eCodeSet(RTL_TEXTENCODING_MS_1252)
, nUCharOverread(1)
{
@@ -160,19 +161,31 @@ int SvRTFParser::GetNextToken_()
break;
case RTF_UPR:
- if (!_inSkipGroup) {
- // UPR - overread the group with the ansi
- // information
- int nNextToken;
- do
+ if (!_inSkipGroup)
{
- nNextToken = GetNextToken_();
- }
- while (nNextToken != '{' && nNextToken !=
sal_Unicode(EOF) && IsParserWorking());
+ if (nUPRLevel > 256) // fairly sure > 1 is
probably an error, but provide some leeway
+ {
+ SAL_WARN("svtools", "urp stack too deep");
+ eState = SvParserState::Error;
+ break;
+ }
- SkipGroup();
- GetNextToken_(); // overread the last bracket
- nRet = 0;
+ ++nUPRLevel;
+
+ // UPR - overread the group with the ansi
+ // information
+ int nNextToken;
+ do
+ {
+ nNextToken = GetNextToken_();
+ }
+ while (nNextToken != '{' && nNextToken !=
sal_Unicode(EOF) && IsParserWorking());
+
+ SkipGroup();
+ GetNextToken_(); // overread the last bracket
+ nRet = 0;
+
+ --nUPRLevel;
}
break;
