[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/source

Stephan Bergmann sbergman at redhat.com
Tue Aug 25 08:07:57 PDT 2015


 filter/source/graphicfilter/ipbm/ipbm.cxx |   24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

New commits:
commit 4c8bba9a8e7488b268fc4f6c9e06195b42565375
Author: Stephan Bergmann <sbergman at redhat.com>
Date:   Tue Aug 25 11:58:42 2015 +0200

    Avoid overflow in PBMReader::ImplReadHeader
    
    ...as found by UBSan in CppunitTest_filter_ppm_test on
    filter/qa/cppunit/data/pbm/fail/crash-1.pbm
    
    Change-Id: Ib7c50ef1f07aba6b78f79c608be69c3dac38ddfe
    (cherry picked from commit 662498ab80833a2b671c247fb859603632e52105)
    Reviewed-on: https://gerrit.libreoffice.org/17984
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/filter/source/graphicfilter/ipbm/ipbm.cxx b/filter/source/graphicfilter/ipbm/ipbm.cxx
index 18b3249..d7cf941 100644
--- a/filter/source/graphicfilter/ipbm/ipbm.cxx
+++ b/filter/source/graphicfilter/ipbm/ipbm.cxx
@@ -218,17 +218,41 @@ bool PBMReader::ImplReadHeader()
             nDat -= '0';
             if ( nCount == 0 )
             {
+                if (mnWidth > SAL_MAX_INT32 / 10)
+                {
+                    return false;
+                }
                 mnWidth *= 10;
+                if (nDat > SAL_MAX_INT32 - mnWidth)
+                {
+                    return false;
+                }
                 mnWidth += nDat;
             }
             else if ( nCount == 1 )
             {
+                if (mnHeight > SAL_MAX_INT32 / 10)
+                {
+                    return false;
+                }
                 mnHeight *= 10;
+                if (nDat > SAL_MAX_INT32 - mnHeight)
+                {
+                    return false;
+                }
                 mnHeight += nDat;
             }
             else if ( nCount == 2 )
             {
+                if (mnMaxVal > std::numeric_limits<sal_uLong>::max() / 10)
+                {
+                    return false;
+                }
                 mnMaxVal *= 10;
+                if (nDat > std::numeric_limits<sal_uLong>::max() - mnMaxVal)
+                {
+                    return false;
+                }
                 mnMaxVal += nDat;
             }
         }


More information about the Libreoffice-commits mailing list