svn commit: r1816295 - /openoffice/trunk/main/vcl/source/gdi/pngread.cxx

[damjan]

Author: damjan
Date: Sat Nov 25 13:21:24 2017
New Revision: 1816295

URL: http://svn.apache.org/viewvc?rev=1816295&view=rev
Log:
Add range checking to PNG palette indexes,
as per OSS-Fuzz issue 574.

Patch by: me


Modified:
    openoffice/trunk/main/vcl/source/gdi/pngread.cxx

Modified: openoffice/trunk/main/vcl/source/gdi/pngread.cxx
URL: 
http://svn.apache.org/viewvc/openoffice/trunk/main/vcl/source/gdi/pngread.cxx?rev=1816295&r1=1816294&r2=1816295&view=diff
==============================================================================
--- openoffice/trunk/main/vcl/source/gdi/pngread.cxx (original)
+++ openoffice/trunk/main/vcl/source/gdi/pngread.cxx Sat Nov 25 13:21:24 2017
@@ -36,6 +36,7 @@
 #include <vcl/svapp.hxx>
 #include <vcl/alpha.hxx>
 #include <osl/endian.h>
+#include <com/sun/star/lang/IndexOutOfBoundsException.hpp>
 
 // -----------
 // - Defines -
@@ -296,7 +297,7 @@ bool PNGReaderImpl::ReadNextChunk()
         if( mnChunkLen < 0 )
             return false;
         const sal_Size nStreamPos = mrPNGStream.Tell();
-        if( nStreamPos + mnChunkLen >= mnStreamSize )
+        if( nStreamPos + mnChunkLen + 4 >= mnStreamSize )
             return false;
 
         // calculate chunktype CRC (swap it back to original byte order)
@@ -434,7 +435,16 @@ BitmapEx PNGReaderImpl::GetBitmapEx( con
                                if ( !mpInflateInBuf )  // taking care that the 
header has properly been read
                                        mbStatus = sal_False;
                                else if ( !mbIDAT )             // the gfx is 
finished, but there may be left a zlibCRC of about 4Bytes
-                                       ImplReadIDAT();
+                               {
+                                       try
+                                       {
+                                               ImplReadIDAT();
+                                       }
+                                       catch 
(::com::sun::star::lang::IndexOutOfBoundsException&)
+                                       {
+                                               mbStatus = sal_False;
+                                       }
+                               }
                        }
                        break;
 
@@ -1644,6 +1654,8 @@ void PNGReaderImpl::ImplSetPixel( sal_uI
         return;
     nX >>= mnPreviewShift;
 
+    if (nPalIndex >= mpAcc->GetPaletteEntryCount())
+        throw ::com::sun::star::lang::IndexOutOfBoundsException();
     mpAcc->SetPixelIndex( nY, nX, nPalIndex );
 }
 
@@ -1674,6 +1686,8 @@ void PNGReaderImpl::ImplSetAlphaPixel( s
         return;
     nX >>= mnPreviewShift;
 
+    if (nPalIndex >= mpAcc->GetPaletteEntryCount())
+        throw ::com::sun::star::lang::IndexOutOfBoundsException();
     mpAcc->SetPixelIndex( nY, nX, nPalIndex );
     mpMaskAcc->SetPixelIndex( nY, nX, ~nAlpha );
 }