[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/qa filter/source

Mon Sep 14 00:24:17 PDT 2015

filter/qa/cppunit/data/psd/pass/hang-1.psd |binary
 filter/source/graphicfilter/ipsd/ipsd.cxx  |   19 ++++++++++---------
 2 files changed, 10 insertions(+), 9 deletions(-)

New commits:
commit e10b203ebf8e8b4eb75601b614d279d50af5b5e8
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Sep 10 09:24:13 2015 +0100

    fix size check related hang
    
    Change-Id: I3e8aa5c48ba802cd363688502b44e27bfdf67f01
    (cherry picked from commit b02f1c58e7bb8b6c9381107431557d3f39794fe0)
    Reviewed-on: https://gerrit.libreoffice.org/18465
    Reviewed-by: David Tardon <dtardon at redhat.com>
    Tested-by: David Tardon <dtardon at redhat.com>

diff --git a/filter/qa/cppunit/data/psd/pass/hang-1.psd b/filter/qa/cppunit/data/psd/pass/hang-1.psd
new file mode 100644
index 0000000..8f557dd
Binary files /dev/null and b/filter/qa/cppunit/data/psd/pass/hang-1.psd differ
diff --git a/filter/source/graphicfilter/ipsd/ipsd.cxx b/filter/source/graphicfilter/ipsd/ipsd.cxx
index bae2c0b..a5243b6 100644
--- a/filter/source/graphicfilter/ipsd/ipsd.cxx
+++ b/filter/source/graphicfilter/ipsd/ipsd.cxx
@@ -172,9 +172,6 @@ bool PSDReader::ReadPSD(Graphic & rGraphic )
 
 bool PSDReader::ImplReadHeader()
 {
-    sal_uInt16  nCompression;
-    sal_uInt32  nColorLength, nResourceLength, nLayerMaskLength;
-
     mpFileHeader = new PSDFileHeader;
 
     if ( !mpFileHeader )
@@ -197,6 +194,7 @@ bool PSDReader::ImplReadHeader()
 
     mnDestBitDepth = ( nDepth == 16 ) ? 8 : nDepth;
 
+    sal_uInt32 nColorLength(0);
     m_rPSD.ReadUInt32( nColorLength );
     if ( mpFileHeader->nMode == PSD_CMYK )
     {
@@ -277,7 +275,10 @@ bool PSDReader::ImplReadHeader()
         default:
             return false;
     }
-    m_rPSD.ReadUInt32( nResourceLength );
+    sal_uInt32 nResourceLength(0);
+    m_rPSD.ReadUInt32(nResourceLength);
+    if (nResourceLength > m_rPSD.remainingSize())
+        return false;
     sal_uInt32 nLayerPos = m_rPSD.Tell() + nResourceLength;
 
     // this is a loop over the resource entries to get the resolution info
@@ -298,8 +299,8 @@ bool PSDReader::ImplReadHeader()
         if ( nResEntryLen & 1 )
             nResEntryLen++;             // the resource entries are padded
         sal_uInt32 nCurrentPos = m_rPSD.Tell();
-        if ( ( nResEntryLen + nCurrentPos ) > nLayerPos )   // check if size
-            break;                                          // is possible
+        if (nResEntryLen > (nLayerPos - nCurrentPos))   // check if size
+            break;                                      // is possible
         switch( nUniqueID )
         {
             case 0x3ed :    // UID for the resolution info
@@ -314,10 +315,12 @@ bool PSDReader::ImplReadHeader()
         m_rPSD.Seek( nCurrentPos + nResEntryLen );          // set the stream to the next
     }                                                       // resource entry
     m_rPSD.Seek( nLayerPos );
+    sal_uInt32 nLayerMaskLength(0);
     m_rPSD.ReadUInt32( nLayerMaskLength );
     m_rPSD.SeekRel( nLayerMaskLength );
 
-    m_rPSD.ReadUInt16( nCompression );
+    sal_uInt16 nCompression(0);
+    m_rPSD.ReadUInt16(nCompression);
     if ( nCompression == 0 )
     {
         mbCompression = false;
@@ -333,8 +336,6 @@ bool PSDReader::ImplReadHeader()
     return true;
 }
 
-
-
 bool PSDReader::ImplReadBody()
 {
     sal_uLong       nX, nY;
