vcl/source/filter/itiff/itiff.cxx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
New commits: commit 728ff63903083f3bc4321e8fbbb2c1d4b1755a0c Author: Stephan Bergmann <[email protected]> AuthorDate: Mon May 23 14:57:18 2022 +0200 Commit: Caolán McNamara <[email protected]> CommitDate: Mon May 23 18:17:10 2022 +0200 Bad hack to silence UBSan nullptr-with-offset ...since e912a446210fdae61be3fc04d20d90488cedcdf6 "tiff: use more complicated apis to need a smaller buffer during read" in CppunitTest_vcl_filters_test, > [_RUN_____] TiffFilterTest::testCVEs [...] > tif_getimage.c:998:21: runtime error: applying zero offset to null pointer > #0 0x7f487da9d408 in gtStripContig /workdir/UnpackedTarball/libtiff/libtiff/tif_getimage.c:998:21 > #1 0x7f487da97c27 in TIFFRGBAImageGet /workdir/UnpackedTarball/libtiff/libtiff/tif_getimage.c:512:12 > #2 0x7f487bd1a56c in ImportTiffGraphicImport(SvStream&, Graphic&) /vcl/source/filter/itiff/itiff.cxx:219:19 > #3 0x7f485d820126 in TiffFilterTest::load(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int) /vcl/qa/cppunit/graphicfilter/filters-tiff-test.cxx:70:12 > #4 0x7f485a49ffa0 in test::FiltersTest::recursiveScan(test::filterStatus, rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) /unotest/source/cpp/filters-test.cxx:132:20 > #5 0x7f485a4a3a52 in test::FiltersTest::testDir(rtl::OUString const&, std::basic_string_view<char16_t, std::char_traits<char16_t> >, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) /unotest/source/cpp/filters-test.cxx:157:5 > #6 0x7f485d8206f9 in TiffFilterTest::testCVEs() /vcl/qa/cppunit/graphicfilter/filters-tiff-test.cxx:76:5 (<https://ci.libreoffice.org/job/lo_ubsan/2406/>). (If UBSan or some other tool starts to flag this too, we'll probably need to pass in a nullptr after all and teach libtiff to treat that case specially and not advance it.) Change-Id: I4477e6c7036c3c5f2782c2c90c612d98fee60468 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134822 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> diff --git a/vcl/source/filter/itiff/itiff.cxx b/vcl/source/filter/itiff/itiff.cxx index 292621ed0b83..9f51e28df0a9 100644 --- a/vcl/source/filter/itiff/itiff.cxx +++ b/vcl/source/filter/itiff/itiff.cxx @@ -267,7 +267,14 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& rGraphic) img.put.separate = putSeparatePixel; } - bOk = TIFFRGBAImageGet(&img, nullptr, w, img.height); + bOk = TIFFRGBAImageGet( + &img, reinterpret_cast<uint32_t *>(sizeof (uint32_t)), w, img.height); + // we don't access TIFFRGBAImageGet's raster argument in our custom putContigPixel/ + // putSeparatePixel functions, but TIFFRGBAImageGet nevertheless internally + // advances that pointer, so passing nullptr would cause UBSan nullptr-with-offset + // errors; while technically still UB, this HACK of passing a non-null pointer keeps + // UBSan happy for now (and better use an artificial pointer value which would + // hopefully cause SIGSEGV if it should erroneously be dereferenced after all) TIFFRGBAImageEnd(&img); } else
