vcl/source/filter/png/PngImageWriter.cxx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
New commits: commit eda0c48278da6549c01c9f0ce4f469249e420d63 Author: Stephan Bergmann <sberg...@redhat.com> AuthorDate: Wed Jul 20 14:27:37 2022 +0200 Commit: Stephan Bergmann <sberg...@redhat.com> CommitDate: Wed Jul 20 21:43:44 2022 +0200 Make combineScanlineChannels stop before padding bytes At <https://ci.libreoffice.org/job/lo_ubsan/2467>, CppunitTest_sd_export_tests-ooxml1 failed with > ==4831==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000211c54 at pc 0x7fcdcb44093f bp 0x7ffe85792760 sp 0x7ffe85792758 > READ of size 1 at 0x629000211c54 thread T0 > #0 0x7fcdcb44093e in (anonymous namespace)::combineScanlineChannels(unsigned char*, unsigned char*, unsigned char*, unsigned int) /vcl/source/filter/png/PngImageWriter.cxx:27:22 > #1 0x7fcdcb43fbaf in vcl::pngWrite(SvStream&, BitmapEx const&, int, bool, bool, std::__debug::vector<vcl::PngChunk, std::allocator<vcl::PngChunk> > const&) /vcl/source/filter/png/PngImageWriter.cxx:231:21 > #2 0x7fcdcb43ce80 in vcl::PngImageWriter::write(BitmapEx const&) /vcl/source/filter/png/PngImageWriter.cxx:318:12 > #3 0x7fcdcaf04bc1 in GraphicFilter::ExportGraphic(Graphic const&, std::basic_string_view<char16_t, std::char_traits<char16_t> >, SvStream&, unsigned short, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const*) /vcl/source/filter/graphicfilter.cxx:1801:28 > 0x629000211c54 is located 0 bytes to the right of 19028-byte region [0x62900020d200,0x629000211c54) > allocated by thread T0 here: > #0 0x4fd898 in operator new[](unsigned long) /home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_new_delete.cpp:102 > #1 0x7fcdcbcbd50b in ImplCreateDIB(Size const&, vcl::PixelFormat, BitmapPalette const&) /vcl/headless/svpbmp.cxx:123:24 > #2 0x7fcdcbcbb483 in SvpSalBitmap::Create(Size const&, vcl::PixelFormat, BitmapPalette const&) /vcl/headless/svpbmp.cxx:152:13 > #3 0x7fcdca406c59 in Bitmap::Bitmap(Size const&, vcl::PixelFormat, BitmapPalette const*) /vcl/source/bitmap/bitmap.cxx:136:15 because for the given N24BitTcBgr bitmap of size 89x71 we have pAccess->GetScanlineSize() = 268 = 89 * 3 + 1, so combineScanlineChannels wanted to erroneously read an excessive 90th RGB triplet. Change-Id: Ida117999de075b8906f43bfe4c2b7fa98df80b0f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/137261 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sberg...@redhat.com> diff --git a/vcl/source/filter/png/PngImageWriter.cxx b/vcl/source/filter/png/PngImageWriter.cxx index 2d883c1dea5c..d18c410d1359 100644 --- a/vcl/source/filter/png/PngImageWriter.cxx +++ b/vcl/source/filter/png/PngImageWriter.cxx @@ -21,7 +21,8 @@ void combineScanlineChannels(Scanline pRGBScanline, Scanline pAlphaScanline, Sca assert(pRGBScanline && "RGB scanline is null"); assert(pAlphaScanline && "Alpha scanline is null"); - for (sal_uInt32 i = 0; i < nSize; i += 3) + auto const width = nSize / 3; + for (sal_uInt32 i = 0; i < width; ++i) { *pResult++ = *pRGBScanline++; // R *pResult++ = *pRGBScanline++; // G