basebmp/source/bitmapdevice.cxx | 12 ++++++- svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png | 3 + svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png |binary svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png |binary svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png |binary svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png | 1 svtools/qa/cppunit/data/png/pass/black.png |binary svtools/qa/cppunit/filters-test.cxx | 4 ++ vcl/source/gdi/pngread.cxx | 31 +++++++++++++------ 9 files changed, 40 insertions(+), 11 deletions(-)
New commits: commit 3d016d2d72dbd7b960356b44a3c369e1d5a8bf0c Author: Caolán McNamara <caol...@redhat.com> Date: Tue Apr 17 16:45:23 2012 +0100 png parsing regression test Signed-off-by: Petr Mladek <pmla...@suse.cz> Signed-off-by: Michael Meeks <michael.me...@suse.com> diff --git a/basebmp/source/bitmapdevice.cxx b/basebmp/source/bitmapdevice.cxx index 1586fce..b3676c6 100644 --- a/basebmp/source/bitmapdevice.cxx +++ b/basebmp/source/bitmapdevice.cxx @@ -1881,8 +1881,16 @@ BitmapDeviceSharedPtr createBitmapDeviceImpl( const basegfx::B2IVector& // factor in bottom-up scanline order case nScanlineStride *= bTopDown ? 1 : -1; - const std::size_t nMemSize( - (nScanlineStride < 0 ? -nScanlineStride : nScanlineStride)*rSize.getY() ); + const sal_uInt32 nWidth(nScanlineStride < 0 ? -nScanlineStride : nScanlineStride); + const sal_uInt32 nHeight(rSize.getY()); + + if (nHeight && nWidth && nWidth > SAL_MAX_INT32 / nHeight) + { + SAL_WARN( "basebmp", "suspicious massive alloc " << nWidth << " * " << nHeight); + return BitmapDeviceSharedPtr(); + } + + const std::size_t nMemSize(nWidth * nHeight); if( !pMem ) { diff --git a/svtools/qa/cppunit/data/png/fail/.gitignore b/svtools/qa/cppunit/data/png/fail/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png new file mode 100644 index 0000000..fa90a29 --- /dev/null +++ b/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png @@ -0,0 +1,3 @@ +Àë#Mb£}ÕÔo7ë2ÎË~X¨á.^TÿwBè!õf1±°ÿ»±sé tùgça2bA±ÕðÁËHbè"8àî|ìeGfS$N0nIÖªõ +Ôç0"ðJG°zÀ¤Ü¢(s?d)À"ËÿGE¢×F¯9~}ÇrÕ TÎp?áÅÂ*¿ìò·¥ckµ$E"Xï¯8á¾=2±T_3³v¿#é á$Hh4«JÑKiÝJÿ&7r ú Ï=u¯ù69KÙjãûäÎçèÿëWh{é½Ï$· dVÅÜ[îÐÐÊy\à%º%ǾH®meÛÃÞ+ Á}ÀgXI¡2ñ>*Ä«õ&ùÕúÍ· )̸6ÔpUTjODhÙ¶1éù-ÄÔ<WµUR±Kø591Òþ¦«M? +~æ*Nr¡Ìu;µãÀkh©ÉXÔà{ÖßÔ¤»' Ów©ìF[ÛÒKèRÓf§yO¹¨%0´©iháx×wz¿4dT.¥@Xm4¦Þi¤íô÷pçð¬Z¼¾^±ßyÝÂЯú`®ºÎ_Y¬? tuw4\kÁd¬J~mgú`<2ìl²Ñn¦ÒãùÞ*ð òök h*n÷w7!YIÃP+hKØ*Ô`õ?Ëâçü \ No newline at end of file diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png new file mode 100644 index 0000000..d0644d1 Binary files /dev/null and b/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png differ diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png new file mode 100644 index 0000000..9b30cc3 Binary files /dev/null and b/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png differ diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png new file mode 100644 index 0000000..b9ff67b Binary files /dev/null and b/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png differ diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png new file mode 100644 index 0000000..592fda1 --- /dev/null +++ b/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png @@ -0,0 +1 @@ +Àë#Mb£}ÕÔo7ë2Í~\íá._èÃ{ÜÚß'p|&êFàà¨/û§§ô¬ \ No newline at end of file diff --git a/svtools/qa/cppunit/data/png/indeterminate/.gitignore b/svtools/qa/cppunit/data/png/indeterminate/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/svtools/qa/cppunit/data/png/pass/.gitignore b/svtools/qa/cppunit/data/png/pass/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/svtools/qa/cppunit/data/png/pass/black.png b/svtools/qa/cppunit/data/png/pass/black.png new file mode 100644 index 0000000..cbba93b Binary files /dev/null and b/svtools/qa/cppunit/data/png/pass/black.png differ diff --git a/svtools/qa/cppunit/filters-test.cxx b/svtools/qa/cppunit/filters-test.cxx index a1c4a44..296d96e 100644 --- a/svtools/qa/cppunit/filters-test.cxx +++ b/svtools/qa/cppunit/filters-test.cxx @@ -80,6 +80,10 @@ void SvtoolsFiltersTest::testCVEs() testDir(rtl::OUString(), getURLFromSrc("/svtools/qa/cppunit/data/sgv/"), rtl::OUString()); + + testDir(rtl::OUString(), + getURLFromSrc("/svtools/qa/cppunit/data/png/"), + rtl::OUString()); } CPPUNIT_TEST_SUITE_REGISTRATION(SvtoolsFiltersTest); diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index 0d6a06c..1c590b5 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -201,6 +201,7 @@ PNGReaderImpl::PNGReaderImpl( SvStream& rPNGStream ) mpScanCurrent ( NULL ), mpColorTable ( (sal_uInt8*) mpDefaultColorTable ), mnPass ( 0 ), + mbPalette( sal_False ), mbzCodecInUse ( sal_False ), mbStatus( sal_True), mbIDAT( sal_False ), @@ -304,7 +305,7 @@ bool PNGReaderImpl::ReadNextChunk() nCRC32 = rtl_crc32( nCRC32, &rChunkData.aData[ 0 ], mnChunkLen ); maDataIter = rChunkData.aData.begin(); } - sal_uInt32 nCheck; + sal_uInt32 nCheck(0); mrPNGStream >> nCheck; if( nCRC32 != nCheck ) return false; @@ -346,14 +347,23 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint ) // reset to the first chunk maChunkIter = maChunkSeq.begin(); - // parse the chunks + // first chunk must be IDHR + if( mbStatus && ReadNextChunk() ) + { + if (mnChunkType == PNGCHUNK_IHDR) + mbStatus = ImplReadHeader( rPreviewSizeHint ); + else + mbStatus = false; + } + + // parse the remaining chunks while( mbStatus && !mbIDAT && ReadNextChunk() ) { switch( mnChunkType ) { case PNGCHUNK_IHDR : { - mbStatus = ImplReadHeader( rPreviewSizeHint ); + mbStatus = false; //IHDR should only appear as the first chunk } break; @@ -763,14 +773,17 @@ sal_Bool PNGReaderImpl::ImplReadTransparent() { if ( mnChunkLen <= 256 ) { + mbTransparent = true; mpTransTab = new sal_uInt8 [ 256 ]; rtl_fillMemory( mpTransTab, 256, 0xff ); - rtl_copyMemory( mpTransTab, &(*maDataIter), mnChunkLen ); - maDataIter += mnChunkLen; - mbTransparent = true; - // need alpha transparency if not on/off masking - for( int i = 0; i < mnChunkLen; ++i ) - bNeedAlpha |= (mpTransTab[i]!=0x00) && (mpTransTab[i]!=0xFF); + if (mnChunkLen > 0) + { + rtl_copyMemory( mpTransTab, &(*maDataIter), mnChunkLen ); + maDataIter += mnChunkLen; + // need alpha transparency if not on/off masking + for( int i = 0; i < mnChunkLen; ++i ) + bNeedAlpha |= (mpTransTab[i]!=0x00) && (mpTransTab[i]!=0xFF); + } } } break;
_______________________________________________ Libreoffice-commits mailing list Libreoffice-commits@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits