vcl/source/filter/png/PngImageWriter.cxx | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit eda0c48278da6549c01c9f0ce4f469249e420d63
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Wed Jul 20 14:27:37 2022 +0200
Commit: Stephan Bergmann <sberg...@redhat.com>
CommitDate: Wed Jul 20 21:43:44 2022 +0200
Make combineScanlineChannels stop before padding bytes
At <https://ci.libreoffice.org/job/lo_ubsan/2467>,
CppunitTest_sd_export_tests-ooxml1 failed with
> ==4831==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x629000211c54 at pc 0x7fcdcb44093f bp 0x7ffe85792760 sp 0x7ffe85792758
> READ of size 1 at 0x629000211c54 thread T0
> #0 0x7fcdcb44093e in (anonymous
namespace)::combineScanlineChannels(unsigned char*, unsigned char*, unsigned
char*, unsigned int) /vcl/source/filter/png/PngImageWriter.cxx:27:22
> #1 0x7fcdcb43fbaf in vcl::pngWrite(SvStream&, BitmapEx const&, int,
bool, bool, std::__debug::vector<vcl::PngChunk, std::allocator<vcl::PngChunk> >
const&) /vcl/source/filter/png/PngImageWriter.cxx:231:21
> #2 0x7fcdcb43ce80 in vcl::PngImageWriter::write(BitmapEx const&)
/vcl/source/filter/png/PngImageWriter.cxx:318:12
> #3 0x7fcdcaf04bc1 in GraphicFilter::ExportGraphic(Graphic const&,
std::basic_string_view<char16_t, std::char_traits<char16_t> >, SvStream&,
unsigned short,
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const*)
/vcl/source/filter/graphicfilter.cxx:1801:28
> 0x629000211c54 is located 0 bytes to the right of 19028-byte region
[0x62900020d200,0x629000211c54)
> allocated by thread T0 here:
> #0 0x4fd898 in operator new[](unsigned long)
/home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_new_delete.cpp:102
> #1 0x7fcdcbcbd50b in ImplCreateDIB(Size const&, vcl::PixelFormat,
BitmapPalette const&) /vcl/headless/svpbmp.cxx:123:24
> #2 0x7fcdcbcbb483 in SvpSalBitmap::Create(Size const&,
vcl::PixelFormat, BitmapPalette const&) /vcl/headless/svpbmp.cxx:152:13
> #3 0x7fcdca406c59 in Bitmap::Bitmap(Size const&, vcl::PixelFormat,
BitmapPalette const*) /vcl/source/bitmap/bitmap.cxx:136:15
because for the given N24BitTcBgr bitmap of size 89x71 we have
pAccess->GetScanlineSize() = 268 = 89 * 3 + 1, so combineScanlineChannels
wanted
to erroneously read an excessive 90th RGB triplet.
Change-Id: Ida117999de075b8906f43bfe4c2b7fa98df80b0f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/137261
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
diff --git a/vcl/source/filter/png/PngImageWriter.cxx
b/vcl/source/filter/png/PngImageWriter.cxx
index 2d883c1dea5c..d18c410d1359 100644
--- a/vcl/source/filter/png/PngImageWriter.cxx
+++ b/vcl/source/filter/png/PngImageWriter.cxx
@@ -21,7 +21,8 @@ void combineScanlineChannels(Scanline pRGBScanline, Scanline
pAlphaScanline, Sca
assert(pRGBScanline && "RGB scanline is null");
assert(pAlphaScanline && "Alpha scanline is null");
- for (sal_uInt32 i = 0; i < nSize; i += 3)
+ auto const width = nSize / 3;
+ for (sal_uInt32 i = 0; i < width; ++i)
{
*pResult++ = *pRGBScanline++; // R
*pResult++ = *pRGBScanline++; // G
