[Libreoffice-commits] core.git: vcl/source

Jürgen Schmidt jsc at apache.org
Fri Mar 28 08:59:39 PDT 2014 

 vcl/source/gdi/dibtools.cxx |   24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

New commits:
commit f7799c9317cc3187ae8aaedc36f829d478a59e77
Author: Jürgen Schmidt <jsc at apache.org>
Date:   Fri Mar 28 10:56:13 2014 +0000

    Resolves: #i124467# add check for image data offset...
    
    against stream length, some further checks
    
    (cherry picked from commit 9ceda6fa56d31af717cc2c0c7572cf53cdc47af1)
    
    Conflicts:
    	vcl/source/gdi/dibtools.cxx
    
    Change-Id: I8993b91ef4fa951e7bae702b0d056996015245ba

diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx
index 7d5d670..1ffdcd9 100644
--- a/vcl/source/gdi/dibtools.cxx
+++ b/vcl/source/gdi/dibtools.cxx
@@ -383,7 +383,11 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess&
 
 bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, BitmapWriteAccess* pAccAlpha, bool bTopDown, bool& rAlphaUsed)
 {
-    const sal_uLong nAlignedWidth = AlignedWidth4Bytes(rHeader.nWidth * rHeader.nBitCount);
+    const sal_Int64 nBitsPerLine (static_cast<sal_Int64>(rHeader.nWidth) * static_cast<sal_Int64>(rHeader.nBitCount));
+    if (nBitsPerLine > SAL_MAX_UINT32)
+        return false;
+
+    const sal_uLong nAlignedWidth = AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine));
     sal_uInt32 nRMask(( rHeader.nBitCount == 16 ) ? 0x00007c00UL : 0x00ff0000UL);
     sal_uInt32 nGMask(( rHeader.nBitCount == 16 ) ? 0x000003e0UL : 0x0000ff00UL);
     sal_uInt32 nBMask(( rHeader.nBitCount == 16 ) ? 0x0000001fUL : 0x000000ffUL);
@@ -607,6 +611,13 @@ bool ImplReadDIBBody( SvStream& rIStm, Bitmap& rBmp, Bitmap* pBmpAlpha, sal_uLon
 
     if(ImplReadDIBInfoHeader(rIStm, aHeader, bTopDown) && aHeader.nWidth && aHeader.nHeight && aHeader.nBitCount)
     {
+        if (aHeader.nSize > nOffset)
+        {
+            // Header size claims to extend into the image data.
+            // Looks like an error.
+            return false;
+        }
+
         const sal_uInt16 nBitCount(discretizeBitcount(aHeader.nBitCount));
         const Size aSizePixel(aHeader.nWidth, aHeader.nHeight);
         BitmapPalette aDummyPal;
@@ -759,6 +770,9 @@ bool ImplReadDIBFileHeader( SvStream& rIStm, sal_uLong& rOffset )
     sal_uInt16  nTmp16 = 0;
     bool    bRet = false;
 
+    const sal_uLong nStreamLength (rIStm.Seek(STREAM_SEEK_TO_END));
+    rIStm.Seek(STREAM_SEEK_TO_BEGIN);
+
     rIStm.ReadUInt16( nTmp16 );
 
     if ( ( 0x4D42 == nTmp16 ) || ( 0x4142 == nTmp16 ) )
@@ -779,6 +793,14 @@ bool ImplReadDIBFileHeader( SvStream& rIStm, sal_uLong& rOffset )
             rOffset = nTmp32 - 14UL;    // adapt offset by sizeof(BITMAPFILEHEADER)
             bRet = ( rIStm.GetError() == 0UL );
         }
+
+        if (rOffset >= nStreamLength)
+        {
+            // Offset claims that image starts past the end of the
+            // stream.  Unlikely.
+            rIStm.SetError( SVSTREAM_FILEFORMAT_ERROR );
+            bRet = false;
+        }
     }
     else
         rIStm.SetError( SVSTREAM_FILEFORMAT_ERROR );

More information about the Libreoffice-commits mailing list