svn commit: r1582689 - /openoffice/trunk/main/vcl/source/gdi/dibtools.cxx

Fri, 28 Mar 2014 03:57:39 -0700 

Author: jsc
Date: Fri Mar 28 10:56:13 2014
New Revision: 1582689

URL: http://svn.apache.org/r1582689
Log:
#124467# merge from aoo410 branch, add check for image data offset against 
stream length, some further checks

Modified:
    openoffice/trunk/main/vcl/source/gdi/dibtools.cxx

Modified: openoffice/trunk/main/vcl/source/gdi/dibtools.cxx
URL: 
http://svn.apache.org/viewvc/openoffice/trunk/main/vcl/source/gdi/dibtools.cxx?rev=1582689&r1=1582688&r2=1582689&view=diff
==============================================================================
--- openoffice/trunk/main/vcl/source/gdi/dibtools.cxx (original)
+++ openoffice/trunk/main/vcl/source/gdi/dibtools.cxx Fri Mar 28 10:56:13 2014
@@ -390,7 +390,11 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, 
 
 bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& 
rAcc, BitmapWriteAccess* pAccAlpha, bool bTopDown, bool& rAlphaUsed)
 {
-       const sal_uLong nAlignedWidth = AlignedWidth4Bytes(rHeader.nWidth * 
rHeader.nBitCount);
+    const sal_Int64 nBitsPerLine (static_cast<sal_Int64>(rHeader.nWidth) * 
static_cast<sal_Int64>(rHeader.nBitCount));
+    if (nBitsPerLine > SAL_MAX_UINT32)
+        return false;
+
+       const sal_uLong nAlignedWidth = 
AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine));
        sal_uInt32 nRMask(( rHeader.nBitCount == 16 ) ? 0x00007c00UL : 
0x00ff0000UL);
        sal_uInt32 nGMask(( rHeader.nBitCount == 16 ) ? 0x000003e0UL : 
0x0000ff00UL);
        sal_uInt32 nBMask(( rHeader.nBitCount == 16 ) ? 0x0000001fUL : 
0x000000ffUL);
@@ -616,6 +620,13 @@ bool ImplReadDIBBody( SvStream& rIStm, B
 
        if(ImplReadDIBInfoHeader(rIStm, aHeader, bTopDown) && aHeader.nWidth && 
aHeader.nHeight && aHeader.nBitCount)
        {
+        if (aHeader.nSize > nOffset)
+        {
+            // Header size claims to extend into the image data.
+            // Looks like an error.
+            return false;
+        }
+
                const sal_uInt16 
nBitCount(discretizeBitcount(aHeader.nBitCount));
                const Size aSizePixel(aHeader.nWidth, aHeader.nHeight);
                BitmapPalette aDummyPal;
@@ -768,6 +779,9 @@ bool ImplReadDIBFileHeader( SvStream& rI
        sal_uInt16      nTmp16 = 0;
        bool    bRet = false;
 
+    const sal_Int64 nStreamLength (rIStm.Seek(STREAM_SEEK_TO_END));
+    rIStm.Seek(STREAM_SEEK_TO_BEGIN);
+
        rIStm >> nTmp16;
 
        if ( ( 0x4D42 == nTmp16 ) || ( 0x4142 == nTmp16 ) )
@@ -788,6 +802,14 @@ bool ImplReadDIBFileHeader( SvStream& rI
                        rOffset = nTmp32 - 14UL;    // adapt offset by 
sizeof(BITMAPFILEHEADER)
                        bRet = ( rIStm.GetError() == 0UL );
                }
+
+        if (rOffset >= nStreamLength)
+        {
+            // Offset claims that image starts past the end of the
+            // stream.  Unlikely.
+            rIStm.SetError( SVSTREAM_FILEFORMAT_ERROR );
+            bRet = false;
+        }
        }
        else
                rIStm.SetError( SVSTREAM_FILEFORMAT_ERROR );

Reply via email to