[Libreoffice-commits] core.git: 2 commits - include/vcl vcl/qa vcl/source

[Caolán McNamara]

 dev/null                                                       |binary
 include/vcl/dibtools.hxx                                       |    3 -
 vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf |binary
 vcl/source/gdi/dibtools.cxx                                    |   28 +++++++---
 4 files changed, 23 insertions(+), 8 deletions(-)

New commits:
commit c985cda80b54a4c951974bef77398b83eccc7d62
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Mar 2 10:33:02 2017 +0000

    COMPRESS_OWN define is not used standalone anywhere
    
    Change-Id: Iaca54d62a48711a7763cac98c6f303b952b2da29

diff --git a/include/vcl/dibtools.hxx b/include/vcl/dibtools.hxx
index 757fb0d..765cdc9 100644
--- a/include/vcl/dibtools.hxx
+++ b/include/vcl/dibtools.hxx
@@ -33,12 +33,11 @@ class Bitmap;
 
 // - Compression defines
 
-#define COMPRESS_OWN                ('S'|('D'<<8UL))
 #define COMPRESS_NONE               ( 0UL )
 #define RLE_8                       ( 1UL )
 #define RLE_4                       ( 2UL )
 #define BITFIELDS                   ( 3UL )
-#define ZCOMPRESS                   ( COMPRESS_OWN | 0x01000000UL ) /* == 'SD01' (binary) */
+#define ZCOMPRESS                   ( ('S'|('D'<<8UL)) | 0x01000000UL ) /* == 'SD01' (binary) */
 
 bool VCL_DLLPUBLIC ReadDIB( // ReadDIB(rBitmap, rIStm, true);
     Bitmap& rTarget,
commit 82070481f34091718ee0ca0dd97826c7e3d7d79e
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Mar 2 10:30:52 2017 +0000

    reject bmps with unknown compression schemes
    
    and RLE8/RLE4 compression with wrong bitmap depth
    
    Change-Id: I7e580cb119e90262a88c57b86f562eaba81c4944

diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf
similarity index 100%
rename from vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf
rename to vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx
index 8dd710e..7218e8f 100644
--- a/vcl/source/gdi/dibtools.cxx
+++ b/vcl/source/gdi/dibtools.cxx
@@ -867,13 +867,29 @@ bool ImplReadDIBBody( SvStream& rIStm, Bitmap& rBmp, AlphaMask* pBmpAlpha, sal_u
             return false;
         const sal_uInt64 nAlignedWidth(AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine)));
 
-        // (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged
-        if (aHeader.nCompression == ZCOMPRESS || aHeader.nCompression == COMPRESS_NONE)
+        switch (aHeader.nCompression)
         {
-            sal_uInt64 nMaxWidth = pIStm->remainingSize();
-            if (aHeader.nHeight != 0)
-                nMaxWidth /= aHeader.nHeight;
-            if (nMaxWidth < nAlignedWidth)
+            case RLE_8:
+                if (aHeader.nBitCount != 8)
+                    return false;
+                break;
+            case RLE_4:
+                if (aHeader.nBitCount != 4)
+                    return false;
+            case BITFIELDS:
+                break;
+            case ZCOMPRESS:
+            case COMPRESS_NONE:
+            {
+                // (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged
+                sal_uInt64 nMaxWidth = pIStm->remainingSize();
+                if (aHeader.nHeight != 0)
+                    nMaxWidth /= aHeader.nHeight;
+                if (nMaxWidth < nAlignedWidth)
+                    return false;
+                break;
+            }
+            default:
                 return false;
         }