vcl/source/gdi/pngread.cxx | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-)
New commits: commit 9819064de0ac29755bbf244fb3115d5b539df85f Author: Damjan Jovanovic <dam...@apache.org> Date: Sat Nov 25 13:21:24 2017 +0000 Add range checking to PNG palette indexes, as per OSS-Fuzz issue 574. Patch by: me diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index b35db105cfca..e2ec7daa1bb5 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -36,6 +36,7 @@ #include <vcl/svapp.hxx> #include <vcl/alpha.hxx> #include <osl/endian.h> +#include <com/sun/star/lang/IndexOutOfBoundsException.hpp> // ----------- // - Defines - @@ -296,7 +297,7 @@ bool PNGReaderImpl::ReadNextChunk() if( mnChunkLen < 0 ) return false; const sal_Size nStreamPos = mrPNGStream.Tell(); - if( nStreamPos + mnChunkLen >= mnStreamSize ) + if( nStreamPos + mnChunkLen + 4 >= mnStreamSize ) return false; // calculate chunktype CRC (swap it back to original byte order) @@ -434,7 +435,16 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint ) if ( !mpInflateInBuf ) // taking care that the header has properly been read mbStatus = sal_False; else if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes - ImplReadIDAT(); + { + try + { + ImplReadIDAT(); + } + catch (::com::sun::star::lang::IndexOutOfBoundsException&) + { + mbStatus = sal_False; + } + } } break; @@ -1644,6 +1654,8 @@ void PNGReaderImpl::ImplSetPixel( sal_uInt32 nY, sal_uInt32 nX, sal_uInt8 nPalIn return; nX >>= mnPreviewShift; + if (nPalIndex >= mpAcc->GetPaletteEntryCount()) + throw ::com::sun::star::lang::IndexOutOfBoundsException(); mpAcc->SetPixelIndex( nY, nX, nPalIndex ); } @@ -1674,6 +1686,8 @@ void PNGReaderImpl::ImplSetAlphaPixel( sal_uInt32 nY, sal_uInt32 nX, return; nX >>= mnPreviewShift; + if (nPalIndex >= mpAcc->GetPaletteEntryCount()) + throw ::com::sun::star::lang::IndexOutOfBoundsException(); mpAcc->SetPixelIndex( nY, nX, nPalIndex ); mpMaskAcc->SetPixelIndex( nY, nX, ~nAlpha ); } _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits