[Libreoffice-commits] core.git: vcl/source
Stephan Bergmann
sbergman at redhat.com
Tue Nov 21 08:01:28 UTC 2017
vcl/source/gdi/pngread.cxx | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
New commits:
commit bb11e1283e3d49ec1bfe14c4271edbd49af3e3c1
Author: Stephan Bergmann <sbergman at redhat.com>
Date: Tue Nov 21 08:58:04 2017 +0100
ASan heap-buffer-overflow
e.g. during CppunitTest_sd_misc_tests (see
<https://ci.libreoffice.org/job/lo_ubsan/735/console>) after
66dbd4da3afcadb1393daf9be9cecff71b86509a "tdf#113918: Workaround: Load 1bpp
indexed PNG as 8bpp indexed Bitmap". Looks like PNGReaderImpl::ImplDrawScanline
also needs to special-case mnPngDepth == 1 in the mbTransparent case (and, TODO,
also in the mbAlphaChannel case)?
Change-Id: Ie6a0230ec606f7cc5aaf174b9c0075a3b4cb5b1d
diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index bc218f8d9964..7a1f8ef46136 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -1328,6 +1328,22 @@ void PNGReaderImpl::ImplDrawScanline( sal_uInt32 nXStart, sal_uInt32 nXAdd )
for ( long nX = nXStart; nX < maOrigSize.Width(); nX += nXAdd, pTmp++ )
ImplSetAlphaPixel( nY, nX, *pTmp, mpTransTab[ *pTmp ] );
}
+ else if (mnPngDepth == 1 )
+ {
+ for ( long nX = nXStart, nShift = 0; nX < maOrigSize.Width(); nX += nXAdd )
+ {
+ nShift = (nShift - 1) & 7;
+
+ sal_uInt8 nCol;
+ if ( nShift == 0 )
+ nCol = *(pTmp++);
+ else
+ nCol = static_cast<sal_uInt8>( *pTmp >> nShift );
+ nCol &= 1;
+
+ ImplSetAlphaPixel( nY, nX, nCol, mpTransTab[ nCol ] );
+ }
+ }
else
{
for ( long nX = nXStart; nX < maOrigSize.Width(); nX += nXAdd, pTmp += 2 )
More information about the Libreoffice-commits
mailing list