[Libreoffice-commits] core.git: 4 commits - emfio/inc filter/source vcl/workben
Caolán McNamara
caolanm at redhat.com
Mon Sep 25 09:10:03 UTC 2017
emfio/inc/mtftools.hxx | 16 ++++++++++++++++
filter/source/graphicfilter/ipict/ipict.cxx | 27 ++++++++++++++++++---------
filter/source/graphicfilter/itiff/itiff.cxx | 16 +++++++++++++---
vcl/workben/wmffuzzer.cxx | 4 ++++
4 files changed, 51 insertions(+), 12 deletions(-)
New commits:
commit e1b9b8c91afdb9cb47d3c463a6a28ed4e23f63aa
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Sep 25 09:48:38 2017 +0100
tighten up the pict filter a tad
Change-Id: Ib09a33a97a79fdeb5b61d486af4f11b5cc4035ec
diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx
index 6911b02781c0..5da3e1a8844b 100644
--- a/filter/source/graphicfilter/ipict/ipict.cxx
+++ b/filter/source/graphicfilter/ipict/ipict.cxx
@@ -741,8 +741,16 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo
// Read PixMap or Bitmap structure;
sal_uInt16 nRowBytes(0), nBndX(0), nBndY(0), nWidth(0), nHeight(0);
pPict->ReadUInt16(nRowBytes).ReadUInt16(nBndY).ReadUInt16(nBndX).ReadUInt16(nHeight).ReadUInt16(nWidth);
+ if (nBndY > nHeight)
+ return 0xffffffff;
nHeight = nHeight - nBndY;
+ if (nHeight == 0)
+ return 0xffffffff;
+ if (nBndX > nWidth)
+ return 0xffffffff;
nWidth = nWidth - nBndX;
+ if (nWidth == 0)
+ return 0xffffffff;
sal_uInt16 nDstBitCount = 1;
BitmapPalette aPalette;
@@ -1093,7 +1101,8 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo
if ( ( pAcc = initBitmap(aBitmap, nWidth, nHeight, nDstBitCount, aPalette) ) == nullptr )
return 0xffffffff;
- std::unique_ptr<sal_uInt8[]> pScanline(new sal_uInt8[static_cast<size_t>(nWidth) * nCmpCount]);
+ size_t nByteWidth = static_cast<size_t>(nWidth) * nCmpCount;
+ std::vector<sal_uInt8> aScanline(nByteWidth);
for (sal_uInt16 ny = 0; ny < nHeight; ++ny)
{
nSrcBitsPos = pPict->Tell();
@@ -1109,20 +1118,20 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo
nByteCount++;
}
size_t i = 0;
- while( i < (sal_uInt32)( nWidth * nCmpCount ) )
+ while (i < nByteWidth)
{
pPict->ReadUChar( nFlagCounterByte );
if ( ( nFlagCounterByte & 0x80 ) == 0)
{
nCount = ( (sal_uInt16)nFlagCounterByte ) + 1;
- if ( ( i + nCount ) > static_cast<size_t>(nWidth) * nCmpCount )
- nCount = static_cast<size_t>(nWidth) * nCmpCount - i;
+ if ((i + nCount) > nByteWidth)
+ nCount = nByteWidth - i;
if (pPict->remainingSize() < nCount)
BITMAPERROR;
while( nCount-- )
{
pPict->ReadUChar( nDat );
- pScanline[ i++ ] = nDat;
+ aScanline[ i++ ] = nDat;
}
}
else
@@ -1130,14 +1139,14 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo
if (pPict->remainingSize() < 1)
BITMAPERROR;
nCount = ( 1 - sal_Int16( ( (sal_uInt16)nFlagCounterByte ) | 0xff00 ) );
- if ( ( i + nCount ) > static_cast<size_t>(nWidth) * nCmpCount)
- nCount = static_cast<size_t>(nWidth) * nCmpCount - i;
+ if (( i + nCount) > nByteWidth)
+ nCount = nByteWidth - i;
pPict->ReadUChar( nDat );
while( nCount-- )
- pScanline[ i++ ] = nDat;
+ aScanline[ i++ ] = nDat;
}
}
- sal_uInt8* pTmp = pScanline.get();
+ sal_uInt8* pTmp = aScanline.data();
if ( nCmpCount == 4 )
pTmp += nWidth;
for (sal_uInt16 nx = 0; nx < nWidth; pTmp++)
commit 88a23bba104b51af766c86b51b69d80c7fe37ee3
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Sep 25 09:14:19 2017 +0100
Conditional jump or move depends on uninitialised value
Change-Id: I772c38c62950edbcde450889bae61dc37118b8cd
diff --git a/emfio/inc/mtftools.hxx b/emfio/inc/mtftools.hxx
index 6eb9367bb3e8..d9f9dd62ea22 100644
--- a/emfio/inc/mtftools.hxx
+++ b/emfio/inc/mtftools.hxx
@@ -129,6 +129,22 @@ namespace emfio
sal_uInt8 lfQuality;
sal_uInt8 lfPitchAndFamily;
OUString alfFaceName;
+ LOGFONTW()
+ : lfHeight(0)
+ , lfWidth(0)
+ , lfEscapement(0)
+ , lfOrientation(0)
+ , lfWeight(0)
+ , lfItalic(0)
+ , lfUnderline(0)
+ , lfStrikeOut(0)
+ , lfCharSet(0)
+ , lfOutPrecision(0)
+ , lfClipPrecision(0)
+ , lfQuality(0)
+ , lfPitchAndFamily(0)
+ {
+ }
};
}
commit 1e1f2e677fbf6c8043318450640f54c892699d55
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Sep 25 09:05:42 2017 +0100
Direct-leak fix effort
Change-Id: If267c2d40b9e511a8e13be34bb7ba09048a736c5
diff --git a/vcl/workben/wmffuzzer.cxx b/vcl/workben/wmffuzzer.cxx
index 2300f181c673..1a05174e7502 100644
--- a/vcl/workben/wmffuzzer.cxx
+++ b/vcl/workben/wmffuzzer.cxx
@@ -23,6 +23,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
SvMemoryStream aStream(const_cast<uint8_t*>(data), size, StreamMode::READ);
GDIMetaFile aGDIMetaFile;
(void)ReadWindowMetafile(aStream, aGDIMetaFile);
+ //fontconfigs alloc mechanism is too complicated for lsan/valgrind so
+ //force the fontconfig options to be released now, they are demand loaded
+ //so will be recreated if necessary
+ SvpSalGraphics::getPlatformGlyphCache().ClearFontOptions();
return 0;
}
commit 651e1f6cda04468394c65c2fd88d915902ac0306
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Sep 25 09:03:49 2017 +0100
ofz: divide-by-zero
Change-Id: Ie9a21a1432a98af3dca9a397057b7887ff30375f
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 083143600fc0..7298da030cc6 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1345,11 +1345,21 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
else
nPlanes = nSamplesPerPixel;
+ bStatus = nPlanes != 0;
+ }
+
+ sal_uInt32 nDiv = GetRowsPerStrip() + 1;
+
+ if ( bStatus )
+ {
+ bStatus = (nDiv != 0);
+ }
+
+ if ( bStatus )
+ {
if ( ( nFillOrder == 2 ) && ( nCompression != 5 ) ) // in the LZW mode bits are already being inverted
bByteSwap = true;
-
- nStripsPerPlane = ( nImageLength - 1 ) / GetRowsPerStrip() + 1;
- bStatus = nPlanes != 0;
+ nStripsPerPlane = ( nImageLength - 1 ) / nDiv;
}
if ( bStatus )
More information about the Libreoffice-commits
mailing list