[Libreoffice-commits] core.git: 2 commits - filter/source vcl/source

Sat Feb 2 07:48:28 UTC 2019

filter/source/graphicfilter/itiff/itiff.cxx |    8 ++++++++
 vcl/source/filter/jpeg/jpegc.cxx            |    4 +++-
 2 files changed, 11 insertions(+), 1 deletion(-)

New commits:
commit 28570ba820fb1d5ef30d3f7d3420f6c8136dba56
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Feb 1 20:46:44 2019 +0000
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Sat Feb 2 08:48:19 2019 +0100

    ofz#12812 tiff Timeout
    
    Change-Id: I5a9ccea6509760cd8a98087b5b3ea4b347947b0f
    Reviewed-on: https://gerrit.libreoffice.org/67261
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index 4e121351530d..85dc9d297265 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -21,6 +21,7 @@
 #include <sal/config.h>
 #include <sal/log.hxx>
 
+#include <unotools/configmgr.hxx>
 #include <vcl/FilterConfigItem.hxx>
 #include <vcl/graph.hxx>
 #include <vcl/BitmapTools.hxx>
@@ -1593,6 +1594,13 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic )
                 }
             }
 
+            if (bStatus)
+            {
+                sal_Int32 nResult = 0;
+                if (utl::ConfigManager::IsFuzzing() && (o3tl::checked_multiply(nImageWidth, nImageLength, nResult) || nResult > 4000000))
+                    bStatus = false;
+            }
+
             if ( bStatus )
             {
                 maBitmapPixelSize = Size(nImageWidth, nImageLength);
commit 4aac7bc92ab91dadab6ad0bd3324494fbaa84625
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Thu Jan 31 19:54:42 2019 +0000
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Sat Feb 2 08:48:07 2019 +0100

    ofz#11203 fuzzing timeout
    
    Change-Id: I0feb8aa17f71a6efddc1b8b95008116b36f0a1f0
    Reviewed-on: https://gerrit.libreoffice.org/67239
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/vcl/source/filter/jpeg/jpegc.cxx b/vcl/source/filter/jpeg/jpegc.cxx
index 7c1192eda24b..f6e18a59461c 100644
--- a/vcl/source/filter/jpeg/jpegc.cxx
+++ b/vcl/source/filter/jpeg/jpegc.cxx
@@ -19,6 +19,7 @@
 
 #include <sal/config.h>
 #include <sal/log.hxx>
+#include <o3tl/safeint.hxx>
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -216,7 +217,8 @@ static void ReadJPEG(JpegStuff& rContext, JPEGReader* pJPEGReader, void* pInputS
     long nWidth = rContext.cinfo.output_width;
     long nHeight = rContext.cinfo.output_height;
 
-    if (nWidth > 2000 && nHeight > 2000 && utl::ConfigManager::IsFuzzing())
+    long nResult = 0;
+    if (utl::ConfigManager::IsFuzzing() && (o3tl::checked_multiply(nWidth, nHeight, nResult) || nResult > 4000000))
         return;
 
     bool bGray = (rContext.cinfo.output_components == 1);
