[Libreoffice-commits] core.git: Branch 'libreoffice-4-3' - vcl/qa vcl/source
Caolán McNamara
caolanm at redhat.com
Thu Nov 13 01:10:53 PST 2014
vcl/qa/cppunit/graphicfilter/data/bmp/pass/afl-sample-bad-rle-1.bmp |binary
vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-1.gif |binary
vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-2.gif |binary
vcl/qa/cppunit/graphicfilter/data/png/pass/afl-sample-IDAT.png |binary
vcl/source/filter/igif/gifread.cxx | 53 +++++-----
vcl/source/gdi/dibtools.cxx | 43 +++++++-
vcl/source/gdi/pngread.cxx | 6 -
7 files changed, 73 insertions(+), 29 deletions(-)
New commits:
commit a129959cf3b6821cb1b13e6bb28ed410a0e3223a
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Nov 11 17:48:26 2014 +0000
valgrind+afl: various problems
valgrind+afl: check p1 at start of loop
(cherry picked from commit e76098b22e5d3f5bb422dfcca34b4d61fe2bd593)
valgrind+afl: initialize cSize
(cherry picked from commit 9313095ea2d5f3dcc531d658e159e16ac2cb44fd)
valgrind+afl: short read
(cherry picked from commit 9d7979b1319ed7360cec8765a1b387dc1e086148)
valgrind+afl: initialize nFlags
(cherry picked from commit f23a51c9f978a3a8796a63ebcc03f7fcad52c6dc)
valgrind+afl: short read
(cherry picked from commit a967c85b13819e2c81082edec0f217259dca7ca8)
valgrind+afl: short read
(cherry picked from commit 1e9a50075bd39e1387f43605eeaa0132af1bd2c0)
valgrind+afl: bad rle
(cherry picked from commit a9aee04ecfbc4494b752b10e2a2348a0ccb991f1)
Change-Id: I0a9e5fc88ed1fcc7f1bd21218cabeb0adf65c9f4
Reviewed-on: https://gerrit.libreoffice.org/12383
Reviewed-by: David Tardon <dtardon at redhat.com>
Tested-by: David Tardon <dtardon at redhat.com>
diff --git a/vcl/qa/cppunit/graphicfilter/data/bmp/pass/afl-sample-bad-rle-1.bmp b/vcl/qa/cppunit/graphicfilter/data/bmp/pass/afl-sample-bad-rle-1.bmp
new file mode 100644
index 0000000..1ca6e00
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/bmp/pass/afl-sample-bad-rle-1.bmp differ
diff --git a/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-1.gif b/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-1.gif
new file mode 100644
index 0000000..7cb2a03
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-1.gif differ
diff --git a/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-2.gif b/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-2.gif
new file mode 100644
index 0000000..cddbdc3
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-2.gif differ
diff --git a/vcl/qa/cppunit/graphicfilter/data/png/pass/afl-sample-IDAT.png b/vcl/qa/cppunit/graphicfilter/data/png/pass/afl-sample-IDAT.png
new file mode 100644
index 0000000..b116a92
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/png/pass/afl-sample-IDAT.png differ
diff --git a/vcl/source/filter/igif/gifread.cxx b/vcl/source/filter/igif/gifread.cxx
index a3633cd..a0a2be2 100644
--- a/vcl/source/filter/igif/gifread.cxx
+++ b/vcl/source/filter/igif/gifread.cxx
@@ -184,17 +184,20 @@ bool GIFReader::ReadGlobalHeader()
void GIFReader::ReadPaletteEntries( BitmapPalette* pPal, sal_uLong nCount )
{
- const sal_uLong nLen = 3UL * nCount;
+ sal_uLong nLen = 3UL * nCount;
+ const sal_uInt64 nMaxPossible = rIStm.remainingSize();
+ if (nLen > nMaxPossible)
+ nLen = nMaxPossible;
boost::scoped_array<sal_uInt8> pBuf(new sal_uInt8[ nLen ]);
-
- rIStm.Read( pBuf.get(), nLen );
+ sal_Size nRead = rIStm.Read(pBuf.get(), nLen);
+ nCount = nRead/3UL;
if( NO_PENDING( rIStm ) )
{
sal_uInt8* pTmp = pBuf.get();
- for( sal_uLong i = 0UL; i < nCount; )
+ for (sal_uLong i = 0UL; i < nCount; ++i)
{
- BitmapColor& rColor = (*pPal)[ (sal_uInt16) i++ ];
+ BitmapColor& rColor = (*pPal)[i];
rColor.SetRed( *pTmp++ );
rColor.SetGreen( *pTmp++ );
@@ -214,16 +217,15 @@ void GIFReader::ReadPaletteEntries( BitmapPalette* pPal, sal_uLong nCount )
bool GIFReader::ReadExtension()
{
- sal_uInt8 cFunction;
- sal_uInt8 cSize;
- sal_uInt8 cByte;
bool bRet = false;
bool bOverreadDataBlocks = false;
// Extension-Label
+ sal_uInt8 cFunction(0);
rIStm.ReadUChar( cFunction );
if( NO_PENDING( rIStm ) )
{
+ sal_uInt8 cSize(0);
// Block length
rIStm.ReadUChar( cSize );
@@ -232,12 +234,12 @@ bool GIFReader::ReadExtension()
// 'Graphic Control Extension'
case( 0xf9 ) :
{
- sal_uInt8 cFlags;
-
- rIStm.ReadUChar( cFlags );
- rIStm.ReadUInt16( nTimer );
- rIStm.ReadUChar( nGCTransparentIndex );
- rIStm.ReadUChar( cByte );
+ sal_uInt8 cFlags(0);
+ rIStm.ReadUChar(cFlags);
+ rIStm.ReadUInt16(nTimer);
+ rIStm.ReadUChar(nGCTransparentIndex);
+ sal_uInt8 cByte(0);
+ rIStm.ReadUChar(cByte);
if ( NO_PENDING( rIStm ) )
{
@@ -267,6 +269,7 @@ bool GIFReader::ReadExtension()
// NetScape-Extension
if( aAppId == "NETSCAPE" && aAppCode == "2.0" && cSize == 3 )
{
+ sal_uInt8 cByte(0);
rIStm.ReadUChar( cByte );
// Loop-Extension
@@ -293,6 +296,7 @@ bool GIFReader::ReadExtension()
}
else if ( aAppId == "STARDIV " && aAppCode == "5.0" && cSize == 9 )
{
+ sal_uInt8 cByte(0);
rIStm.ReadUChar( cByte );
// Loop extension
@@ -325,14 +329,17 @@ bool GIFReader::ReadExtension()
bRet = true;
while( cSize && bStatus && !rIStm.IsEof() )
{
- sal_uInt16 nCount = (sal_uInt16) cSize + 1;
- boost::scoped_array<char> pBuffer(new char[ nCount ]);
+ sal_uInt16 nCount = (sal_uInt16) cSize + 1;
+ const sal_uInt64 nMaxPossible = rIStm.remainingSize();
+ if (nCount > nMaxPossible)
+ nCount = nMaxPossible;
+ boost::scoped_array<sal_uInt8> pBuffer(new sal_uInt8[nCount]);
bRet = false;
- rIStm.Read( pBuffer.get(), nCount );
- if( NO_PENDING( rIStm ) )
+ sal_Size nRead = rIStm.Read(pBuffer.get(), nCount);
+ if (NO_PENDING(rIStm) && cSize < nRead)
{
- cSize = (sal_uInt8) pBuffer[ cSize ];
+ cSize = pBuffer[cSize];
bRet = true;
}
else
@@ -349,19 +356,19 @@ bool GIFReader::ReadLocalHeader()
sal_uInt8 pBuf[ 9 ];
bool bRet = false;
- rIStm.Read( pBuf, 9 );
- if( NO_PENDING( rIStm ) )
+ sal_Size nRead = rIStm.Read(pBuf, 9);
+ if (NO_PENDING(rIStm) && nRead == 9)
{
SvMemoryStream aMemStm;
BitmapPalette* pPal;
- sal_uInt8 nFlags;
aMemStm.SetBuffer( (char*) pBuf, 9, false, 9 );
aMemStm.ReadUInt16( nImagePosX );
aMemStm.ReadUInt16( nImagePosY );
aMemStm.ReadUInt16( nImageWidth );
aMemStm.ReadUInt16( nImageHeight );
- aMemStm.ReadUChar( nFlags );
+ sal_uInt8 nFlags(0);
+ aMemStm.ReadUChar(nFlags);
// if interlaced, first define startvalue
bInterlaced = ( ( nFlags & 0x40 ) == 0x40 );
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx
index b61a1ad..92490cb 100644
--- a/vcl/source/gdi/dibtools.cxx
+++ b/vcl/source/gdi/dibtools.cxx
@@ -276,9 +276,10 @@ bool ImplReadDIBPalette( SvStream& rIStm, BitmapWriteAccess& rAcc, bool bQuad )
return( rIStm.GetError() == 0UL );
}
-void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, bool bRLE4 )
+bool ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, bool bRLE4 )
{
- Scanline pRLE = pBuffer;
+ Scanline pRLE = pBuffer;
+ Scanline pEndRLE = pBuffer + rHeader.nSizeImage;
long nY = rHeader.nHeight - 1L;
const sal_uLong nWidth = rAcc.Width();
sal_uLong nCountByte;
@@ -289,8 +290,12 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess&
do
{
+ if (pRLE == pEndRLE)
+ return false;
if( ( nCountByte = *pRLE++ ) == 0 )
{
+ if (pRLE == pEndRLE)
+ return false;
nRunByte = *pRLE++;
if( nRunByte > 2 )
@@ -301,6 +306,9 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess&
for( sal_uLong i = 0UL; i < nCountByte; i++ )
{
+ if (pRLE == pEndRLE)
+ return false;
+
cTmp = *pRLE++;
if( nX < nWidth )
@@ -312,6 +320,9 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess&
if( nRunByte & 1 )
{
+ if (pRLE == pEndRLE)
+ return false;
+
if( nX < nWidth )
rAcc.SetPixelIndex( nY, nX++, *pRLE >> 4 );
@@ -319,12 +330,20 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess&
}
if( ( ( nRunByte + 1 ) >> 1 ) & 1 )
+ {
+ if (pRLE == pEndRLE)
+ return false;
+
pRLE++;
+ }
}
else
{
for( sal_uLong i = 0UL; i < nRunByte; i++ )
{
+ if (pRLE == pEndRLE)
+ return false;
+
if( nX < nWidth )
rAcc.SetPixelIndex( nY, nX++, *pRLE );
@@ -332,7 +351,12 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess&
}
if( nRunByte & 1 )
+ {
+ if (pRLE == pEndRLE)
+ return false;
+
pRLE++;
+ }
}
}
else if( !nRunByte )
@@ -344,12 +368,21 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess&
bEndDecoding = true;
else
{
+ if (pRLE == pEndRLE)
+ return false;
+
nX += *pRLE++;
+
+ if (pRLE == pEndRLE)
+ return false;
+
nY -= *pRLE++;
}
}
else
{
+ if (pRLE == pEndRLE)
+ return false;
cTmp = *pRLE++;
if( bRLE4 )
@@ -375,7 +408,9 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess&
}
}
}
- while ( !bEndDecoding && ( nY >= 0L ) );
+ while (!bEndDecoding && (nY >= 0L));
+
+ return true;
}
bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, BitmapWriteAccess* pAccAlpha, bool bTopDown, bool& rAlphaUsed)
@@ -444,7 +479,7 @@ bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& r
boost::scoped_array<sal_uInt8> pBuffer(
new sal_uInt8[rHeader.nSizeImage]);
- if (rIStm.Read((char*)pBuffer.get(), rHeader.nSizeImage)
+ if (rIStm.Read(pBuffer.get(), rHeader.nSizeImage)
!= rHeader.nSizeImage)
{
return false;
diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index 6198c48..7964cd7 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -1030,9 +1030,11 @@ void PNGReaderImpl::ImplApplyFilter()
p1 += mnBPP;
// use left pixels
- do
+ while (p1 < pScanEnd)
+ {
*p1 = static_cast<sal_uInt8>( *p1 + *(p2++) );
- while( ++p1 < pScanEnd );
+ ++p1;
+ }
}
break;
More information about the Libreoffice-commits
mailing list