[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/source
Stephan Bergmann
sbergman at redhat.com
Tue Aug 25 08:07:57 PDT 2015
filter/source/graphicfilter/ipbm/ipbm.cxx | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
New commits:
commit 4c8bba9a8e7488b268fc4f6c9e06195b42565375
Author: Stephan Bergmann <sbergman at redhat.com>
Date: Tue Aug 25 11:58:42 2015 +0200
Avoid overflow in PBMReader::ImplReadHeader
...as found by UBSan in CppunitTest_filter_ppm_test on
filter/qa/cppunit/data/pbm/fail/crash-1.pbm
Change-Id: Ib7c50ef1f07aba6b78f79c608be69c3dac38ddfe
(cherry picked from commit 662498ab80833a2b671c247fb859603632e52105)
Reviewed-on: https://gerrit.libreoffice.org/17984
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/filter/source/graphicfilter/ipbm/ipbm.cxx b/filter/source/graphicfilter/ipbm/ipbm.cxx
index 18b3249..d7cf941 100644
--- a/filter/source/graphicfilter/ipbm/ipbm.cxx
+++ b/filter/source/graphicfilter/ipbm/ipbm.cxx
@@ -218,17 +218,41 @@ bool PBMReader::ImplReadHeader()
nDat -= '0';
if ( nCount == 0 )
{
+ if (mnWidth > SAL_MAX_INT32 / 10)
+ {
+ return false;
+ }
mnWidth *= 10;
+ if (nDat > SAL_MAX_INT32 - mnWidth)
+ {
+ return false;
+ }
mnWidth += nDat;
}
else if ( nCount == 1 )
{
+ if (mnHeight > SAL_MAX_INT32 / 10)
+ {
+ return false;
+ }
mnHeight *= 10;
+ if (nDat > SAL_MAX_INT32 - mnHeight)
+ {
+ return false;
+ }
mnHeight += nDat;
}
else if ( nCount == 2 )
{
+ if (mnMaxVal > std::numeric_limits<sal_uLong>::max() / 10)
+ {
+ return false;
+ }
mnMaxVal *= 10;
+ if (nDat > std::numeric_limits<sal_uLong>::max() - mnMaxVal)
+ {
+ return false;
+ }
mnMaxVal += nDat;
}
}
More information about the Libreoffice-commits
mailing list