vcl/qa/cppunit/graphicfilter/data/bmp/pass/afl-sample-bad-rle-1.bmp |binary vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-1.gif |binary vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-2.gif |binary vcl/qa/cppunit/graphicfilter/data/png/pass/afl-sample-IDAT.png |binary vcl/source/filter/igif/gifread.cxx | 53 +++++----- vcl/source/gdi/dibtools.cxx | 43 +++++++- vcl/source/gdi/pngread.cxx | 6 - 7 files changed, 73 insertions(+), 29 deletions(-)
New commits: commit a129959cf3b6821cb1b13e6bb28ed410a0e3223a Author: Caolán McNamara <caol...@redhat.com> Date: Tue Nov 11 17:48:26 2014 +0000 valgrind+afl: various problems valgrind+afl: check p1 at start of loop (cherry picked from commit e76098b22e5d3f5bb422dfcca34b4d61fe2bd593) valgrind+afl: initialize cSize (cherry picked from commit 9313095ea2d5f3dcc531d658e159e16ac2cb44fd) valgrind+afl: short read (cherry picked from commit 9d7979b1319ed7360cec8765a1b387dc1e086148) valgrind+afl: initialize nFlags (cherry picked from commit f23a51c9f978a3a8796a63ebcc03f7fcad52c6dc) valgrind+afl: short read (cherry picked from commit a967c85b13819e2c81082edec0f217259dca7ca8) valgrind+afl: short read (cherry picked from commit 1e9a50075bd39e1387f43605eeaa0132af1bd2c0) valgrind+afl: bad rle (cherry picked from commit a9aee04ecfbc4494b752b10e2a2348a0ccb991f1) Change-Id: I0a9e5fc88ed1fcc7f1bd21218cabeb0adf65c9f4 Reviewed-on: https://gerrit.libreoffice.org/12383 Reviewed-by: David Tardon <dtar...@redhat.com> Tested-by: David Tardon <dtar...@redhat.com> diff --git a/vcl/qa/cppunit/graphicfilter/data/bmp/pass/afl-sample-bad-rle-1.bmp b/vcl/qa/cppunit/graphicfilter/data/bmp/pass/afl-sample-bad-rle-1.bmp new file mode 100644 index 0000000..1ca6e00 Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/bmp/pass/afl-sample-bad-rle-1.bmp differ diff --git a/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-1.gif b/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-1.gif new file mode 100644 index 0000000..7cb2a03 Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-1.gif differ diff --git a/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-2.gif b/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-2.gif new file mode 100644 index 0000000..cddbdc3 Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/gif/pass/afl-sample-short-read-2.gif differ diff --git a/vcl/qa/cppunit/graphicfilter/data/png/pass/afl-sample-IDAT.png b/vcl/qa/cppunit/graphicfilter/data/png/pass/afl-sample-IDAT.png new file mode 100644 index 0000000..b116a92 Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/png/pass/afl-sample-IDAT.png differ diff --git a/vcl/source/filter/igif/gifread.cxx b/vcl/source/filter/igif/gifread.cxx index a3633cd..a0a2be2 100644 --- a/vcl/source/filter/igif/gifread.cxx +++ b/vcl/source/filter/igif/gifread.cxx @@ -184,17 +184,20 @@ bool GIFReader::ReadGlobalHeader() void GIFReader::ReadPaletteEntries( BitmapPalette* pPal, sal_uLong nCount ) { - const sal_uLong nLen = 3UL * nCount; + sal_uLong nLen = 3UL * nCount; + const sal_uInt64 nMaxPossible = rIStm.remainingSize(); + if (nLen > nMaxPossible) + nLen = nMaxPossible; boost::scoped_array<sal_uInt8> pBuf(new sal_uInt8[ nLen ]); - - rIStm.Read( pBuf.get(), nLen ); + sal_Size nRead = rIStm.Read(pBuf.get(), nLen); + nCount = nRead/3UL; if( NO_PENDING( rIStm ) ) { sal_uInt8* pTmp = pBuf.get(); - for( sal_uLong i = 0UL; i < nCount; ) + for (sal_uLong i = 0UL; i < nCount; ++i) { - BitmapColor& rColor = (*pPal)[ (sal_uInt16) i++ ]; + BitmapColor& rColor = (*pPal)[i]; rColor.SetRed( *pTmp++ ); rColor.SetGreen( *pTmp++ ); @@ -214,16 +217,15 @@ void GIFReader::ReadPaletteEntries( BitmapPalette* pPal, sal_uLong nCount ) bool GIFReader::ReadExtension() { - sal_uInt8 cFunction; - sal_uInt8 cSize; - sal_uInt8 cByte; bool bRet = false; bool bOverreadDataBlocks = false; // Extension-Label + sal_uInt8 cFunction(0); rIStm.ReadUChar( cFunction ); if( NO_PENDING( rIStm ) ) { + sal_uInt8 cSize(0); // Block length rIStm.ReadUChar( cSize ); @@ -232,12 +234,12 @@ bool GIFReader::ReadExtension() // 'Graphic Control Extension' case( 0xf9 ) : { - sal_uInt8 cFlags; - - rIStm.ReadUChar( cFlags ); - rIStm.ReadUInt16( nTimer ); - rIStm.ReadUChar( nGCTransparentIndex ); - rIStm.ReadUChar( cByte ); + sal_uInt8 cFlags(0); + rIStm.ReadUChar(cFlags); + rIStm.ReadUInt16(nTimer); + rIStm.ReadUChar(nGCTransparentIndex); + sal_uInt8 cByte(0); + rIStm.ReadUChar(cByte); if ( NO_PENDING( rIStm ) ) { @@ -267,6 +269,7 @@ bool GIFReader::ReadExtension() // NetScape-Extension if( aAppId == "NETSCAPE" && aAppCode == "2.0" && cSize == 3 ) { + sal_uInt8 cByte(0); rIStm.ReadUChar( cByte ); // Loop-Extension @@ -293,6 +296,7 @@ bool GIFReader::ReadExtension() } else if ( aAppId == "STARDIV " && aAppCode == "5.0" && cSize == 9 ) { + sal_uInt8 cByte(0); rIStm.ReadUChar( cByte ); // Loop extension @@ -325,14 +329,17 @@ bool GIFReader::ReadExtension() bRet = true; while( cSize && bStatus && !rIStm.IsEof() ) { - sal_uInt16 nCount = (sal_uInt16) cSize + 1; - boost::scoped_array<char> pBuffer(new char[ nCount ]); + sal_uInt16 nCount = (sal_uInt16) cSize + 1; + const sal_uInt64 nMaxPossible = rIStm.remainingSize(); + if (nCount > nMaxPossible) + nCount = nMaxPossible; + boost::scoped_array<sal_uInt8> pBuffer(new sal_uInt8[nCount]); bRet = false; - rIStm.Read( pBuffer.get(), nCount ); - if( NO_PENDING( rIStm ) ) + sal_Size nRead = rIStm.Read(pBuffer.get(), nCount); + if (NO_PENDING(rIStm) && cSize < nRead) { - cSize = (sal_uInt8) pBuffer[ cSize ]; + cSize = pBuffer[cSize]; bRet = true; } else @@ -349,19 +356,19 @@ bool GIFReader::ReadLocalHeader() sal_uInt8 pBuf[ 9 ]; bool bRet = false; - rIStm.Read( pBuf, 9 ); - if( NO_PENDING( rIStm ) ) + sal_Size nRead = rIStm.Read(pBuf, 9); + if (NO_PENDING(rIStm) && nRead == 9) { SvMemoryStream aMemStm; BitmapPalette* pPal; - sal_uInt8 nFlags; aMemStm.SetBuffer( (char*) pBuf, 9, false, 9 ); aMemStm.ReadUInt16( nImagePosX ); aMemStm.ReadUInt16( nImagePosY ); aMemStm.ReadUInt16( nImageWidth ); aMemStm.ReadUInt16( nImageHeight ); - aMemStm.ReadUChar( nFlags ); + sal_uInt8 nFlags(0); + aMemStm.ReadUChar(nFlags); // if interlaced, first define startvalue bInterlaced = ( ( nFlags & 0x40 ) == 0x40 ); diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx index b61a1ad..92490cb 100644 --- a/vcl/source/gdi/dibtools.cxx +++ b/vcl/source/gdi/dibtools.cxx @@ -276,9 +276,10 @@ bool ImplReadDIBPalette( SvStream& rIStm, BitmapWriteAccess& rAcc, bool bQuad ) return( rIStm.GetError() == 0UL ); } -void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, bool bRLE4 ) +bool ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, bool bRLE4 ) { - Scanline pRLE = pBuffer; + Scanline pRLE = pBuffer; + Scanline pEndRLE = pBuffer + rHeader.nSizeImage; long nY = rHeader.nHeight - 1L; const sal_uLong nWidth = rAcc.Width(); sal_uLong nCountByte; @@ -289,8 +290,12 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& do { + if (pRLE == pEndRLE) + return false; if( ( nCountByte = *pRLE++ ) == 0 ) { + if (pRLE == pEndRLE) + return false; nRunByte = *pRLE++; if( nRunByte > 2 ) @@ -301,6 +306,9 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& for( sal_uLong i = 0UL; i < nCountByte; i++ ) { + if (pRLE == pEndRLE) + return false; + cTmp = *pRLE++; if( nX < nWidth ) @@ -312,6 +320,9 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& if( nRunByte & 1 ) { + if (pRLE == pEndRLE) + return false; + if( nX < nWidth ) rAcc.SetPixelIndex( nY, nX++, *pRLE >> 4 ); @@ -319,12 +330,20 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& } if( ( ( nRunByte + 1 ) >> 1 ) & 1 ) + { + if (pRLE == pEndRLE) + return false; + pRLE++; + } } else { for( sal_uLong i = 0UL; i < nRunByte; i++ ) { + if (pRLE == pEndRLE) + return false; + if( nX < nWidth ) rAcc.SetPixelIndex( nY, nX++, *pRLE ); @@ -332,7 +351,12 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& } if( nRunByte & 1 ) + { + if (pRLE == pEndRLE) + return false; + pRLE++; + } } } else if( !nRunByte ) @@ -344,12 +368,21 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& bEndDecoding = true; else { + if (pRLE == pEndRLE) + return false; + nX += *pRLE++; + + if (pRLE == pEndRLE) + return false; + nY -= *pRLE++; } } else { + if (pRLE == pEndRLE) + return false; cTmp = *pRLE++; if( bRLE4 ) @@ -375,7 +408,9 @@ void ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& } } } - while ( !bEndDecoding && ( nY >= 0L ) ); + while (!bEndDecoding && (nY >= 0L)); + + return true; } bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, BitmapWriteAccess* pAccAlpha, bool bTopDown, bool& rAlphaUsed) @@ -444,7 +479,7 @@ bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& r boost::scoped_array<sal_uInt8> pBuffer( new sal_uInt8[rHeader.nSizeImage]); - if (rIStm.Read((char*)pBuffer.get(), rHeader.nSizeImage) + if (rIStm.Read(pBuffer.get(), rHeader.nSizeImage) != rHeader.nSizeImage) { return false; diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index 6198c48..7964cd7 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -1030,9 +1030,11 @@ void PNGReaderImpl::ImplApplyFilter() p1 += mnBPP; // use left pixels - do + while (p1 < pScanEnd) + { *p1 = static_cast<sal_uInt8>( *p1 + *(p2++) ); - while( ++p1 < pScanEnd ); + ++p1; + } } break;
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits