[Libreoffice-commits] .: basebmp/source svtools/qa vcl/source

Caolán McNamara caolan at kemper.freedesktop.org
Tue Apr 17 08:47:16 PDT 2012 

 basebmp/source/bitmapdevice.cxx                      |   12 ++++++-
 svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png |    3 +
 svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png |binary
 svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png |binary
 svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png |binary
 svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png |    1 
 svtools/qa/cppunit/data/png/pass/black.png           |binary
 svtools/qa/cppunit/filters-test.cxx                  |    4 ++
 vcl/source/gdi/pngread.cxx                           |   31 +++++++++++++------
 9 files changed, 40 insertions(+), 11 deletions(-)

New commits:
commit 9ff94ae0fa947c5fd6a31fbc38421f60eb5e1fba
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Tue Apr 17 16:45:23 2012 +0100

    png parsing regression test

diff --git a/basebmp/source/bitmapdevice.cxx b/basebmp/source/bitmapdevice.cxx
index 1586fce..b3676c6 100644
--- a/basebmp/source/bitmapdevice.cxx
+++ b/basebmp/source/bitmapdevice.cxx
@@ -1881,8 +1881,16 @@ BitmapDeviceSharedPtr createBitmapDeviceImpl( const basegfx::B2IVector&
     // factor in bottom-up scanline order case
     nScanlineStride *= bTopDown ? 1 : -1;
 
-    const std::size_t nMemSize(
-        (nScanlineStride < 0 ? -nScanlineStride : nScanlineStride)*rSize.getY() );
+    const sal_uInt32 nWidth(nScanlineStride < 0 ? -nScanlineStride : nScanlineStride);
+    const sal_uInt32 nHeight(rSize.getY());
+
+    if (nHeight && nWidth && nWidth > SAL_MAX_INT32 / nHeight)
+    {
+        SAL_WARN( "basebmp", "suspicious massive alloc " << nWidth << " * " << nHeight);
+        return BitmapDeviceSharedPtr();
+    }
+
+    const std::size_t nMemSize(nWidth * nHeight);
 
     if( !pMem )
     {
diff --git a/svtools/qa/cppunit/data/png/fail/.gitignore b/svtools/qa/cppunit/data/png/fail/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png
new file mode 100644
index 0000000..fa90a29
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png
@@ -0,0 +1,3 @@
+Àœë#Mb£Š}ÕÔo7ë2ÎË~X¨á.^TÿwBè„!õ›žf1±°ƒÿ»±sé
‘tšùgšça2bA±Õð‡ÁËHbè—"8àî|†ìeGf­S$N0nI€Öªõ
+Ôç0"ð—JG°zÀ¤Ü¢(s?d)À"Ëÿ‘GE¢×F¯–9~}–ÇrÕ	TΝp?áÅÂ*¿ìò·¥ckµ$E"ŒXï¯8á¾=2±T_3³v¿™#é–á$Hh4«‰JÑKiÝŠJÿ&7r…ú€…Ï=uŠ¯ù69KÙjãûäÎçèÿëWh{‘é½Ï$·
dVÅÜ[îÐЖ™Êy\à%Žº%†Ç¾H®meÛÃÞ+
“Á}€ÀgXI¡2ñ>‰*Ä«õ&ù˜Õú›Í·
)†Ì¸6ÔpU‚TjODhٝ¶1™éù-ÄÔ<WµŒUR±Kø591Òþ¦«M“„?
+~˜æ*Nr¡Ìu;µãÀkh©ÉXˆÔà{֍ßÔ¤»' ӏw©ìF[—ÛÒKèRÓf§y›‹O¹¨%0´©iháx׃‹€wz¿4dT.¥@ŒXm4¦Þi¤íô÷pçð¬Z¼¾^±ßy‘˜ÝÂЯú`®ºÎ_YŸ¬?  …t‹uw4\kÁd¬J~m˜‹gú`<2ìl²Ñn¦ÒãùÞ*ð
òök h*n÷„w7ƒ‘!“YIßP+hK†Ø*Ôž`õ?Ëâç˜ü
\ No newline at end of file
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png
new file mode 100644
index 0000000..d0644d1
Binary files /dev/null and b/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png differ
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png
new file mode 100644
index 0000000..9b30cc3
Binary files /dev/null and b/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png differ
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png
new file mode 100644
index 0000000..b9ff67b
Binary files /dev/null and b/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png differ
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png
new file mode 100644
index 0000000..592fda1
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png
@@ -0,0 +1 @@
+Àœë#Mb£Š}ÕÔo7ë2͐~\íá._舄Ã{ÜÚß'p|&êFàà¨/û§§‚ô¬
\ No newline at end of file
diff --git a/svtools/qa/cppunit/data/png/indeterminate/.gitignore b/svtools/qa/cppunit/data/png/indeterminate/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/svtools/qa/cppunit/data/png/pass/.gitignore b/svtools/qa/cppunit/data/png/pass/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/svtools/qa/cppunit/data/png/pass/black.png b/svtools/qa/cppunit/data/png/pass/black.png
new file mode 100644
index 0000000..cbba93b
Binary files /dev/null and b/svtools/qa/cppunit/data/png/pass/black.png differ
diff --git a/svtools/qa/cppunit/filters-test.cxx b/svtools/qa/cppunit/filters-test.cxx
index a1c4a44..296d96e 100644
--- a/svtools/qa/cppunit/filters-test.cxx
+++ b/svtools/qa/cppunit/filters-test.cxx
@@ -80,6 +80,10 @@ void SvtoolsFiltersTest::testCVEs()
     testDir(rtl::OUString(),
         getURLFromSrc("/svtools/qa/cppunit/data/sgv/"),
         rtl::OUString());
+
+    testDir(rtl::OUString(),
+        getURLFromSrc("/svtools/qa/cppunit/data/png/"),
+        rtl::OUString());
 }
 
 CPPUNIT_TEST_SUITE_REGISTRATION(SvtoolsFiltersTest);
diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index a85a8ec..d279c01 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -194,6 +194,7 @@ PNGReaderImpl::PNGReaderImpl( SvStream& rPNGStream )
     mpScanCurrent   ( NULL ),
     mpColorTable    ( (sal_uInt8*) mpDefaultColorTable ),
     mnPass ( 0 ),
+    mbPalette( sal_False ),
     mbzCodecInUse   ( sal_False ),
     mbStatus( sal_True),
     mbIDAT( sal_False ),
@@ -297,7 +298,7 @@ bool PNGReaderImpl::ReadNextChunk()
             nCRC32 = rtl_crc32( nCRC32, &rChunkData.aData[ 0 ], mnChunkLen );
             maDataIter = rChunkData.aData.begin();
         }
-        sal_uInt32 nCheck;
+        sal_uInt32 nCheck(0);
         mrPNGStream >> nCheck;
         if( nCRC32 != nCheck )
             return false;
@@ -339,14 +340,23 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint )
     // reset to the first chunk
     maChunkIter = maChunkSeq.begin();
 
-    // parse the chunks
+    // first chunk must be IDHR
+    if( mbStatus && ReadNextChunk() )
+    {
+        if (mnChunkType == PNGCHUNK_IHDR)
+            mbStatus = ImplReadHeader( rPreviewSizeHint );
+        else
+            mbStatus = false;
+    }
+
+    // parse the remaining chunks
     while( mbStatus && !mbIDAT && ReadNextChunk() )
     {
         switch( mnChunkType )
         {
             case PNGCHUNK_IHDR :
             {
-                mbStatus = ImplReadHeader( rPreviewSizeHint );
+                mbStatus = false; //IHDR should only appear as the first chunk
             }
             break;
 
@@ -756,14 +766,17 @@ sal_Bool PNGReaderImpl::ImplReadTransparent()
             {
                 if ( mnChunkLen <= 256 )
                 {
+                    mbTransparent = true;
                     mpTransTab = new sal_uInt8 [ 256 ];
                     rtl_fillMemory( mpTransTab, 256, 0xff );
-                    rtl_copyMemory( mpTransTab, &(*maDataIter), mnChunkLen );
-                    maDataIter += mnChunkLen;
-                    mbTransparent = true;
-                    // need alpha transparency if not on/off masking
-                    for( int i = 0; i < mnChunkLen; ++i )
-                       bNeedAlpha |= (mpTransTab[i]!=0x00) && (mpTransTab[i]!=0xFF);
+                    if (mnChunkLen > 0)
+                    {
+                        rtl_copyMemory( mpTransTab, &(*maDataIter), mnChunkLen );
+                        maDataIter += mnChunkLen;
+                        // need alpha transparency if not on/off masking
+                        for( int i = 0; i < mnChunkLen; ++i )
+                           bNeedAlpha |= (mpTransTab[i]!=0x00) && (mpTransTab[i]!=0xFF);
+                    }
                 }
             }
             break;

More information about the Libreoffice-commits mailing list