[Libreoffice-commits] core.git: Branch 'aoo/trunk' - vcl/source

Damjan Jovanovic damjan at apache.org
Sat Nov 25 15:10:42 UTC 2017 

 vcl/source/gdi/pngread.cxx |   18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

New commits:
commit 9819064de0ac29755bbf244fb3115d5b539df85f
Author: Damjan Jovanovic <damjan at apache.org>
Date:   Sat Nov 25 13:21:24 2017 +0000

    Add range checking to PNG palette indexes,
    
    as per OSS-Fuzz issue 574.
    
    Patch by: me

diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index b35db105cfca..e2ec7daa1bb5 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -36,6 +36,7 @@
 #include <vcl/svapp.hxx>
 #include <vcl/alpha.hxx>
 #include <osl/endian.h>
+#include <com/sun/star/lang/IndexOutOfBoundsException.hpp>
 
 // -----------
 // - Defines -
@@ -296,7 +297,7 @@ bool PNGReaderImpl::ReadNextChunk()
         if( mnChunkLen < 0 )
             return false;
         const sal_Size nStreamPos = mrPNGStream.Tell();
-        if( nStreamPos + mnChunkLen >= mnStreamSize )
+        if( nStreamPos + mnChunkLen + 4 >= mnStreamSize )
             return false;
 
         // calculate chunktype CRC (swap it back to original byte order)
@@ -434,7 +435,16 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint )
                 if ( !mpInflateInBuf )  // taking care that the header has properly been read
                     mbStatus = sal_False;
                 else if ( !mbIDAT )     // the gfx is finished, but there may be left a zlibCRC of about 4Bytes
-                    ImplReadIDAT();
+                {
+                    try
+                    {
+                        ImplReadIDAT();
+                    }
+                    catch (::com::sun::star::lang::IndexOutOfBoundsException&)
+                    {
+                        mbStatus = sal_False;
+                    }
+                }
             }
             break;
 
@@ -1644,6 +1654,8 @@ void PNGReaderImpl::ImplSetPixel( sal_uInt32 nY, sal_uInt32 nX, sal_uInt8 nPalIn
         return;
     nX >>= mnPreviewShift;
 
+    if (nPalIndex >= mpAcc->GetPaletteEntryCount())
+        throw ::com::sun::star::lang::IndexOutOfBoundsException();
     mpAcc->SetPixelIndex( nY, nX, nPalIndex );
 }
 
@@ -1674,6 +1686,8 @@ void PNGReaderImpl::ImplSetAlphaPixel( sal_uInt32 nY, sal_uInt32 nX,
         return;
     nX >>= mnPreviewShift;
 
+    if (nPalIndex >= mpAcc->GetPaletteEntryCount())
+        throw ::com::sun::star::lang::IndexOutOfBoundsException();
     mpAcc->SetPixelIndex( nY, nX, nPalIndex );
     mpMaskAcc->SetPixelIndex( nY, nX, ~nAlpha );
 }

More information about the Libreoffice-commits mailing list