vcl/source/gdi/dibtools.cxx | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
New commits:
commit a22da299787cea0343a55ae794e88cd52d12057a
Author: Jürgen Schmidt <j...@apache.org>
Date: Fri Mar 28 10:56:13 2014 +0000
Resolves: #i124467# add check for image data offset...
against stream length, some further checks
(cherry picked from commit 9ceda6fa56d31af717cc2c0c7572cf53cdc47af1)
Conflicts:
vcl/source/gdi/dibtools.cxx
(cherry picked from commit f7799c9317cc3187ae8aaedc36f829d478a59e77)
Conflicts:
vcl/source/gdi/dibtools.cxx
Change-Id: I8993b91ef4fa951e7bae702b0d056996015245ba
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx
index 85d0d9b..dac2c8c 100644
--- a/vcl/source/gdi/dibtools.cxx
+++ b/vcl/source/gdi/dibtools.cxx
@@ -384,7 +384,11 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header&
rHeader, BitmapWriteAccess&
bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess&
rAcc, BitmapWriteAccess* pAccAlpha, bool bTopDown, bool& rAlphaUsed)
{
- const sal_uLong nAlignedWidth = AlignedWidth4Bytes(rHeader.nWidth *
rHeader.nBitCount);
+ const sal_Int64 nBitsPerLine (static_cast<sal_Int64>(rHeader.nWidth) *
static_cast<sal_Int64>(rHeader.nBitCount));
+ if (nBitsPerLine > SAL_MAX_UINT32)
+ return false;
+
+ const sal_uLong nAlignedWidth =
AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine));
sal_uInt32 nRMask(( rHeader.nBitCount == 16 ) ? 0x00007c00UL :
0x00ff0000UL);
sal_uInt32 nGMask(( rHeader.nBitCount == 16 ) ? 0x000003e0UL :
0x0000ff00UL);
sal_uInt32 nBMask(( rHeader.nBitCount == 16 ) ? 0x0000001fUL :
0x000000ffUL);
@@ -622,6 +626,13 @@ bool ImplReadDIBBody( SvStream& rIStm, Bitmap& rBmp,
Bitmap* pBmpAlpha, sal_uLon
if(ImplReadDIBInfoHeader(rIStm, aHeader, bTopDown) && aHeader.nWidth &&
aHeader.nHeight && aHeader.nBitCount)
{
+ if (aHeader.nSize > nOffset)
+ {
+ // Header size claims to extend into the image data.
+ // Looks like an error.
+ return false;
+ }
+
const sal_uInt16 nBitCount(discretizeBitcount(aHeader.nBitCount));
const Size aSizePixel(aHeader.nWidth, aHeader.nHeight);
BitmapPalette aDummyPal;
@@ -774,6 +785,9 @@ bool ImplReadDIBFileHeader( SvStream& rIStm, sal_uLong&
rOffset )
sal_uInt16 nTmp16 = 0;
bool bRet = false;
+ const sal_uLong nStreamLength (rIStm.Seek(STREAM_SEEK_TO_END));
+ rIStm.Seek(STREAM_SEEK_TO_BEGIN);
+
rIStm >> nTmp16;
if ( ( 0x4D42 == nTmp16 ) || ( 0x4142 == nTmp16 ) )
@@ -794,6 +808,14 @@ bool ImplReadDIBFileHeader( SvStream& rIStm, sal_uLong&
rOffset )
rOffset = nTmp32 - 14UL; // adapt offset by
sizeof(BITMAPFILEHEADER)
bRet = ( rIStm.GetError() == 0UL );
}
+
+ if (rOffset >= nStreamLength)
+ {
+ // Offset claims that image starts past the end of the
+ // stream. Unlikely.
+ rIStm.SetError( SVSTREAM_FILEFORMAT_ERROR );
+ bRet = false;
+ }
}
else
rIStm.SetError( SVSTREAM_FILEFORMAT_ERROR );
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
