emfio/inc/mtftools.hxx | 16 ++++++++++++++++ filter/source/graphicfilter/ipict/ipict.cxx | 27 ++++++++++++++++++--------- filter/source/graphicfilter/itiff/itiff.cxx | 16 +++++++++++++--- vcl/workben/wmffuzzer.cxx | 4 ++++ 4 files changed, 51 insertions(+), 12 deletions(-)
New commits: commit e1b9b8c91afdb9cb47d3c463a6a28ed4e23f63aa Author: Caolán McNamara <caol...@redhat.com> Date: Mon Sep 25 09:48:38 2017 +0100 tighten up the pict filter a tad Change-Id: Ib09a33a97a79fdeb5b61d486af4f11b5cc4035ec diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx index 6911b02781c0..5da3e1a8844b 100644 --- a/filter/source/graphicfilter/ipict/ipict.cxx +++ b/filter/source/graphicfilter/ipict/ipict.cxx @@ -741,8 +741,16 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo // Read PixMap or Bitmap structure; sal_uInt16 nRowBytes(0), nBndX(0), nBndY(0), nWidth(0), nHeight(0); pPict->ReadUInt16(nRowBytes).ReadUInt16(nBndY).ReadUInt16(nBndX).ReadUInt16(nHeight).ReadUInt16(nWidth); + if (nBndY > nHeight) + return 0xffffffff; nHeight = nHeight - nBndY; + if (nHeight == 0) + return 0xffffffff; + if (nBndX > nWidth) + return 0xffffffff; nWidth = nWidth - nBndX; + if (nWidth == 0) + return 0xffffffff; sal_uInt16 nDstBitCount = 1; BitmapPalette aPalette; @@ -1093,7 +1101,8 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo if ( ( pAcc = initBitmap(aBitmap, nWidth, nHeight, nDstBitCount, aPalette) ) == nullptr ) return 0xffffffff; - std::unique_ptr<sal_uInt8[]> pScanline(new sal_uInt8[static_cast<size_t>(nWidth) * nCmpCount]); + size_t nByteWidth = static_cast<size_t>(nWidth) * nCmpCount; + std::vector<sal_uInt8> aScanline(nByteWidth); for (sal_uInt16 ny = 0; ny < nHeight; ++ny) { nSrcBitsPos = pPict->Tell(); @@ -1109,20 +1118,20 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo nByteCount++; } size_t i = 0; - while( i < (sal_uInt32)( nWidth * nCmpCount ) ) + while (i < nByteWidth) { pPict->ReadUChar( nFlagCounterByte ); if ( ( nFlagCounterByte & 0x80 ) == 0) { nCount = ( (sal_uInt16)nFlagCounterByte ) + 1; - if ( ( i + nCount ) > static_cast<size_t>(nWidth) * nCmpCount ) - nCount = static_cast<size_t>(nWidth) * nCmpCount - i; + if ((i + nCount) > nByteWidth) + nCount = nByteWidth - i; if (pPict->remainingSize() < nCount) BITMAPERROR; while( nCount-- ) { pPict->ReadUChar( nDat ); - pScanline[ i++ ] = nDat; + aScanline[ i++ ] = nDat; } } else @@ -1130,14 +1139,14 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo if (pPict->remainingSize() < 1) BITMAPERROR; nCount = ( 1 - sal_Int16( ( (sal_uInt16)nFlagCounterByte ) | 0xff00 ) ); - if ( ( i + nCount ) > static_cast<size_t>(nWidth) * nCmpCount) - nCount = static_cast<size_t>(nWidth) * nCmpCount - i; + if (( i + nCount) > nByteWidth) + nCount = nByteWidth - i; pPict->ReadUChar( nDat ); while( nCount-- ) - pScanline[ i++ ] = nDat; + aScanline[ i++ ] = nDat; } } - sal_uInt8* pTmp = pScanline.get(); + sal_uInt8* pTmp = aScanline.data(); if ( nCmpCount == 4 ) pTmp += nWidth; for (sal_uInt16 nx = 0; nx < nWidth; pTmp++) commit 88a23bba104b51af766c86b51b69d80c7fe37ee3 Author: Caolán McNamara <caol...@redhat.com> Date: Mon Sep 25 09:14:19 2017 +0100 Conditional jump or move depends on uninitialised value Change-Id: I772c38c62950edbcde450889bae61dc37118b8cd diff --git a/emfio/inc/mtftools.hxx b/emfio/inc/mtftools.hxx index 6eb9367bb3e8..d9f9dd62ea22 100644 --- a/emfio/inc/mtftools.hxx +++ b/emfio/inc/mtftools.hxx @@ -129,6 +129,22 @@ namespace emfio sal_uInt8 lfQuality; sal_uInt8 lfPitchAndFamily; OUString alfFaceName; + LOGFONTW() + : lfHeight(0) + , lfWidth(0) + , lfEscapement(0) + , lfOrientation(0) + , lfWeight(0) + , lfItalic(0) + , lfUnderline(0) + , lfStrikeOut(0) + , lfCharSet(0) + , lfOutPrecision(0) + , lfClipPrecision(0) + , lfQuality(0) + , lfPitchAndFamily(0) + { + } }; } commit 1e1f2e677fbf6c8043318450640f54c892699d55 Author: Caolán McNamara <caol...@redhat.com> Date: Mon Sep 25 09:05:42 2017 +0100 Direct-leak fix effort Change-Id: If267c2d40b9e511a8e13be34bb7ba09048a736c5 diff --git a/vcl/workben/wmffuzzer.cxx b/vcl/workben/wmffuzzer.cxx index 2300f181c673..1a05174e7502 100644 --- a/vcl/workben/wmffuzzer.cxx +++ b/vcl/workben/wmffuzzer.cxx @@ -23,6 +23,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) SvMemoryStream aStream(const_cast<uint8_t*>(data), size, StreamMode::READ); GDIMetaFile aGDIMetaFile; (void)ReadWindowMetafile(aStream, aGDIMetaFile); + //fontconfigs alloc mechanism is too complicated for lsan/valgrind so + //force the fontconfig options to be released now, they are demand loaded + //so will be recreated if necessary + SvpSalGraphics::getPlatformGlyphCache().ClearFontOptions(); return 0; } commit 651e1f6cda04468394c65c2fd88d915902ac0306 Author: Caolán McNamara <caol...@redhat.com> Date: Mon Sep 25 09:03:49 2017 +0100 ofz: divide-by-zero Change-Id: Ie9a21a1432a98af3dca9a397057b7887ff30375f diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 083143600fc0..7298da030cc6 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -1345,11 +1345,21 @@ bool TIFFReader::ReadTIFF(SvStream & rTIFF, Graphic & rGraphic ) else nPlanes = nSamplesPerPixel; + bStatus = nPlanes != 0; + } + + sal_uInt32 nDiv = GetRowsPerStrip() + 1; + + if ( bStatus ) + { + bStatus = (nDiv != 0); + } + + if ( bStatus ) + { if ( ( nFillOrder == 2 ) && ( nCompression != 5 ) ) // in the LZW mode bits are already being inverted bByteSwap = true; - - nStripsPerPlane = ( nImageLength - 1 ) / GetRowsPerStrip() + 1; - bStatus = nPlanes != 0; + nStripsPerPlane = ( nImageLength - 1 ) / nDiv; } if ( bStatus )
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits