core.git: vcl/source

Sun, 25 Aug 2024 02:37:30 -0700 

 vcl/source/filter/itiff/itiff.cxx |   15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

New commits:
commit 99b8446dacda9bdeba9609d17dca34b365cc7763
Author:     Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Sat Aug 24 20:48:53 2024 +0100
Commit:     Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Sun Aug 25 11:36:56 2024 +0200

    ofz#69874 make a failed seek for libtiff poison the stream
    
    ...for the reset of the tiff reads/seeks.
    
    Comparing our fuzzer against the libtiff fuzzer, that one uses the
    libtifxx std::stream integration so std::stream badbit rules apply and
    after the first failed (seek) operation all subsequent operations fail,
    so do the same for our tiff importer to align with the libtiff
    expectations.
    
    Change-Id: Ic881389bf78643803de70afeda55112a54b09c1b
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/172363
    Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
    Tested-by: Jenkins

diff --git a/vcl/source/filter/itiff/itiff.cxx 
b/vcl/source/filter/itiff/itiff.cxx
index 81f21c411b5c..bdf4999df514 100644
--- a/vcl/source/filter/itiff/itiff.cxx
+++ b/vcl/source/filter/itiff/itiff.cxx
@@ -40,20 +40,29 @@ namespace
         SvStream& rStream;
         tsize_t nStart;
         tsize_t nSize;
+        ErrCode nOrigError;
         bool bAllowOneShortRead;
         Context(SvStream& rInStream)
             : rStream(rInStream)
             , nStart(rInStream.Tell())
             , nSize(rInStream.remainingSize())
+            , nOrigError(rInStream.GetError())
             , bAllowOneShortRead(false)
         {
         }
+        ~Context()
+        {
+            rStream.SetError(nOrigError);
+        }
     };
 }
 
 static tsize_t tiff_read(thandle_t handle, tdata_t buf, tsize_t size)
 {
     Context* pContext = static_cast<Context*>(handle);
+    if (pContext->rStream.bad())
+        return 0;
+
     tsize_t nRead = pContext->rStream.ReadBytes(buf, size);
     // tdf#149417 allow one short read, which is similar to what
     // we do for jpeg since tdf#138950
@@ -91,7 +100,11 @@ static toff_t tiff_seek(thandle_t handle, toff_t offset, 
int whence)
             break;
     }
 
-    pContext->rStream.Seek(offset);
+    if (pContext->rStream.bad() || !checkSeek(pContext->rStream, offset))
+    {
+        offset = pContext->rStream.Tell();
+        pContext->rStream.SetError(SVSTREAM_SEEK_ERROR);
+    }
 
     return offset - pContext->nStart;
 }

Reply via email to