[Libreoffice-commits] core.git: vcl/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Tue Dec 22 12:57:31 UTC 2020


 vcl/source/filter/png/pngread.cxx |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

New commits:
commit 127bfab61c297df06fd8e71e709bc4362cb89d21
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Tue Dec 22 10:18:36 2020 +0000
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Tue Dec 22 13:56:35 2020 +0100

    oss-fuzz: pngfuzzer doesn't pass sanity check
    
    Step #5:     #6 0x63cceaf in __cxa_throw (/tmp/not-out/pngfuzzer+0x63cceaf)
    Step #5:     #7 0x4f1999 in SvStream::ReadUInt32(unsigned int&) (/tmp/not-out/pngfuzzer+0x4f1999)
    Step #5:     #8 0x6a8cd7 in vcl::PNGReaderImpl::PNGReaderImpl(SvStream&) (/tmp/not-out/pngfuzzer+0x6a8cd7)
    Step #5:     #9 0x6b545f in vcl::PNGReader::PNGReader(SvStream&) (/tmp/not-out/pngfuzzer+0x6b545f)
    
    Change-Id: Ibf062f8d7dfbbab7bf57be7d4e837c3a8934a40e
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108154
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/vcl/source/filter/png/pngread.cxx b/vcl/source/filter/png/pngread.cxx
index 5a4e113867c9..cda1c3e9e4b5 100644
--- a/vcl/source/filter/png/pngread.cxx
+++ b/vcl/source/filter/png/pngread.cxx
@@ -228,11 +228,16 @@ PNGReaderImpl::PNGReaderImpl( SvStream& rPNGStream )
     mnStreamSize = mrPNGStream.TellEnd();
 
     // check the PNG header magic
-    sal_uInt32 nDummy = 0;
-    mrPNGStream.ReadUInt32( nDummy );
-    mbStatus = (nDummy == 0x89504e47);
-    mrPNGStream.ReadUInt32( nDummy );
-    mbStatus = (nDummy == 0x0d0a1a0a) && mbStatus;
+    if (mnStreamSize < 8)
+        mbStatus = false;
+    else
+    {
+        sal_uInt32 nDummy = 0;
+        mrPNGStream.ReadUInt32( nDummy );
+        mbStatus = (nDummy == 0x89504e47);
+        mrPNGStream.ReadUInt32( nDummy );
+        mbStatus = (nDummy == 0x0d0a1a0a) && mbStatus;
+    }
 
     mnPreviewShift = 0;
     mnPreviewMask = (1 << mnPreviewShift) - 1;


More information about the Libreoffice-commits mailing list