[Libreoffice-commits] .: Branch 'libreoffice-3-5' - vcl/source

Petr Mladek pmladek at kemper.freedesktop.org
Mon Apr 23 08:19:52 PDT 2012 

 vcl/source/gdi/pngread.cxx |   27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

New commits:
commit 15afc7ab406141983f8b64fca116586e3c1cb581
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Apr 19 20:46:59 2012 +0100

    fail earlier on oversized images
    
    Signed-off-by: Petr Mladek <pmladek at suse.cz>

diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index 1c590b5..2302e33 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -620,14 +620,6 @@ sal_Bool PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
 
     mnScansize = static_cast< sal_uInt32 >( nScansize64 );
 
-    // TODO: switch between both scanlines instead of copying
-    mpInflateInBuf = new (std::nothrow) sal_uInt8[ mnScansize ];
-    mpScanCurrent = mpInflateInBuf;
-    mpScanPrior = new (std::nothrow) sal_uInt8[ mnScansize ];
-
-    if ( !mpInflateInBuf || !mpScanPrior )
-        return sal_False;
-
     // calculate target size from original size and the preview hint
     if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() )
     {
@@ -662,6 +654,25 @@ sal_Bool PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
     maTargetSize.Width()  = (maOrigSize.Width() + mnPreviewMask) >> mnPreviewShift;
     maTargetSize.Height() = (maOrigSize.Height() + mnPreviewMask) >> mnPreviewShift;
 
+    //round bits up to nearest multiple of 8 and divide by 8 to get num of bytes per pixel
+    int nBytesPerPixel = ((mnTargetDepth + 7) & ~7)/8;
+
+    //stupidly big, forget about it
+    if (maTargetSize.Width() >= SAL_MAX_INT32 / nBytesPerPixel / maTargetSize.Height())
+    {
+        SAL_WARN( "vcl", "overlarge png dimensions: " <<
+            maTargetSize.Width() << " x " << maTargetSize.Height() << " depth: " << mnTargetDepth);
+        return sal_False;
+    }
+
+    // TODO: switch between both scanlines instead of copying
+    mpInflateInBuf = new (std::nothrow) sal_uInt8[ mnScansize ];
+    mpScanCurrent = mpInflateInBuf;
+    mpScanPrior = new (std::nothrow) sal_uInt8[ mnScansize ];
+
+    if ( !mpInflateInBuf || !mpScanPrior )
+        return sal_False;
+
     mpBmp = new Bitmap( maTargetSize, mnTargetDepth );
     mpAcc = mpBmp->AcquireWriteAccess();
     if( !mpAcc )

More information about the Libreoffice-commits mailing list