[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/source
Stephan Bergmann
sbergman at redhat.com
Tue Aug 25 08:07:57 PDT 2015
filter/source/graphicfilter/ipbm/ipbm.cxx | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
New commits:
commit 0382dd6b26a77484cc2818ea1655da373fa92e5f
Author: Stephan Bergmann <sbergman at redhat.com>
Date: Tue Aug 25 11:58:42 2015 +0200
Avoid overflow in PBMReader::ImplReadHeader
...as found by UBSan in CppunitTest_filter_ppm_test on
filter/qa/cppunit/data/pbm/fail/crash-1.pbm
Change-Id: Ib7c50ef1f07aba6b78f79c608be69c3dac38ddfe
(cherry picked from commit 662498ab80833a2b671c247fb859603632e52105)
Reviewed-on: https://gerrit.libreoffice.org/17989
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/filter/source/graphicfilter/ipbm/ipbm.cxx b/filter/source/graphicfilter/ipbm/ipbm.cxx
index 231b0e6..89ac09d 100644
--- a/filter/source/graphicfilter/ipbm/ipbm.cxx
+++ b/filter/source/graphicfilter/ipbm/ipbm.cxx
@@ -234,17 +234,41 @@ bool PBMReader::ImplReadHeader()
nDat -= '0';
if ( nCount == 0 )
{
+ if (mnWidth > SAL_MAX_INT32 / 10)
+ {
+ return false;
+ }
mnWidth *= 10;
+ if (nDat > SAL_MAX_INT32 - mnWidth)
+ {
+ return false;
+ }
mnWidth += nDat;
}
else if ( nCount == 1 )
{
+ if (mnHeight > SAL_MAX_INT32 / 10)
+ {
+ return false;
+ }
mnHeight *= 10;
+ if (nDat > SAL_MAX_INT32 - mnHeight)
+ {
+ return false;
+ }
mnHeight += nDat;
}
else if ( nCount == 2 )
{
+ if (mnMaxVal > std::numeric_limits<sal_uLong>::max() / 10)
+ {
+ return false;
+ }
mnMaxVal *= 10;
+ if (nDat > std::numeric_limits<sal_uLong>::max() - mnMaxVal)
+ {
+ return false;
+ }
mnMaxVal += nDat;
}
}
More information about the Libreoffice-commits
mailing list