[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/psd/pass/hang-1.psd |binary filter/source/graphicfilter/ipsd/ipsd.cxx | 19 ++- 2 files changed, 10 insertions(+), 9 deletions(-) New commits: commit c9e824687521ef2c3a90ba969627178b372d885c Author: Caolán McNamaraDate: Thu Sep 10 09:24:13 2015 +0100 fix size check related hang Change-Id: I3e8aa5c48ba802cd363688502b44e27bfdf67f01 (cherry picked from commit b02f1c58e7bb8b6c9381107431557d3f39794fe0) Reviewed-on: https://gerrit.libreoffice.org/18464 Tested-by: Jenkins Reviewed-by: David Tardon Tested-by: David Tardon diff --git a/filter/qa/cppunit/data/psd/pass/hang-1.psd b/filter/qa/cppunit/data/psd/pass/hang-1.psd new file mode 100644 index 000..8f557dd Binary files /dev/null and b/filter/qa/cppunit/data/psd/pass/hang-1.psd differ diff --git a/filter/source/graphicfilter/ipsd/ipsd.cxx b/filter/source/graphicfilter/ipsd/ipsd.cxx index 7fbd5ab..a5bea9f 100644 --- a/filter/source/graphicfilter/ipsd/ipsd.cxx +++ b/filter/source/graphicfilter/ipsd/ipsd.cxx @@ -172,9 +172,6 @@ bool PSDReader::ReadPSD(Graphic & rGraphic ) bool PSDReader::ImplReadHeader() { -sal_uInt16 nCompression; -sal_uInt32 nColorLength, nResourceLength, nLayerMaskLength; - mpFileHeader = new PSDFileHeader; m_rPSD.ReadUInt32( mpFileHeader->nSignature ).ReadUInt16( mpFileHeader->nVersion ).ReadUInt32( mpFileHeader->nPad1 ).ReadUInt16( mpFileHeader->nPad2 ).ReadUInt16( mpFileHeader->nChannels ).ReadUInt32( mpFileHeader->nRows ).ReadUInt32( mpFileHeader->nColumns ).ReadUInt16( mpFileHeader->nDepth ).ReadUInt16( mpFileHeader->nMode ); @@ -194,6 +191,7 @@ bool PSDReader::ImplReadHeader() mnDestBitDepth = ( nDepth == 16 ) ? 8 : nDepth; +sal_uInt32 nColorLength(0); m_rPSD.ReadUInt32( nColorLength ); if ( mpFileHeader->nMode == PSD_CMYK ) { @@ -270,7 +268,10 @@ bool PSDReader::ImplReadHeader() default: return false; } -m_rPSD.ReadUInt32( nResourceLength ); +sal_uInt32 nResourceLength(0); +m_rPSD.ReadUInt32(nResourceLength); +if (nResourceLength > m_rPSD.remainingSize()) +return false; sal_uInt32 nLayerPos = m_rPSD.Tell() + nResourceLength; // this is a loop over the resource entries to get the resolution info @@ -291,8 +292,8 @@ bool PSDReader::ImplReadHeader() if ( nResEntryLen & 1 ) nResEntryLen++; // the resource entries are padded sal_uInt32 nCurrentPos = m_rPSD.Tell(); -if ( ( nResEntryLen + nCurrentPos ) > nLayerPos ) // check if size -break; // is possible +if (nResEntryLen > (nLayerPos - nCurrentPos)) // check if size +break; // is possible switch( nUniqueID ) { case 0x3ed :// UID for the resolution info @@ -307,10 +308,12 @@ bool PSDReader::ImplReadHeader() m_rPSD.Seek( nCurrentPos + nResEntryLen ); // set the stream to the next } // resource entry m_rPSD.Seek( nLayerPos ); +sal_uInt32 nLayerMaskLength(0); m_rPSD.ReadUInt32( nLayerMaskLength ); m_rPSD.SeekRel( nLayerMaskLength ); -m_rPSD.ReadUInt16( nCompression ); +sal_uInt16 nCompression(0); +m_rPSD.ReadUInt16(nCompression); if ( nCompression == 0 ) { mbCompression = false; @@ -326,8 +329,6 @@ bool PSDReader::ImplReadHeader() return true; } - - bool PSDReader::ImplReadBody() { sal_uLong nX, nY; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/ras/fail/hang-1.ras |binary filter/source/graphicfilter/iras/iras.cxx | 47 +++-- 2 files changed, 32 insertions(+), 15 deletions(-) New commits: commit 07e60c9fe65002f698524a838150c457daef2d77 Author: Caolán McNamaraDate: Fri Sep 11 15:38:01 2015 +0100 check stream status more often Change-Id: I233c2fff9c06a81117f8114ccee83b53ea4026db (cherry picked from commit b43e03353aeb04ed74a272d98df03dd7c20f3478) Reviewed-on: https://gerrit.libreoffice.org/18505 Tested-by: Jenkins Reviewed-by: David Tardon diff --git a/filter/qa/cppunit/data/ras/fail/hang-1.ras b/filter/qa/cppunit/data/ras/fail/hang-1.ras new file mode 100644 index 000..44dec67 Binary files /dev/null and b/filter/qa/cppunit/data/ras/fail/hang-1.ras differ diff --git a/filter/source/graphicfilter/iras/iras.cxx b/filter/source/graphicfilter/iras/iras.cxx index 5877fa2..e3209bd 100644 --- a/filter/source/graphicfilter/iras/iras.cxx +++ b/filter/source/graphicfilter/iras/iras.cxx @@ -222,31 +222,43 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) case 1 : for (y = 0; y < mnHeight && mbStatus; ++y) { -for ( x = 0; x < mnWidth; x++ ) +for (x = 0; x < mnWidth && mbStatus; ++x) { if (!(x & 7)) +{ nDat = ImplGetByte(); +if (!m_rRAS.good()) +mbStatus = false; +} pAcc->SetPixelIndex( y, x, sal::static_int_cast< sal_uInt8 >( nDat >> ( ( x & 7 ) ^ 7 )) ); } -if (!( ( x - 1 ) & 0x8 ) ) ImplGetByte(); // WORD ALIGNMENT ??? -if (!m_rRAS.good()) -mbStatus = false; +if (!( ( x - 1 ) & 0x8 ) ) +{ +ImplGetByte(); // WORD ALIGNMENT ??? +if (!m_rRAS.good()) +mbStatus = false; +} } break; case 8 : for (y = 0; y < mnHeight && mbStatus; ++y) { -for ( x = 0; x < mnWidth; x++ ) +for (x = 0; x < mnWidth && mbStatus; ++x) { nDat = ImplGetByte(); pAcc->SetPixelIndex( y, x, nDat ); +if (!m_rRAS.good()) +mbStatus = false; +} +if ( x & 1 ) +{ +ImplGetByte(); // WORD ALIGNMENT ??? +if (!m_rRAS.good()) +mbStatus = false; } -if ( x & 1 ) ImplGetByte(); // WORD ALIGNMENT ??? -if (!m_rRAS.good()) -mbStatus = false; } break; @@ -257,7 +269,7 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) case 24 : for (y = 0; y < mnHeight && mbStatus; ++y) { -for ( x = 0; x < mnWidth; x++ ) +for (x = 0; x < mnWidth && mbStatus; ++x) { if ( mnType == RAS_TYPE_RGB_FORMAT ) { @@ -272,17 +284,22 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) nRed = ImplGetByte(); } pAcc->SetPixel ( y, x, BitmapColor( nRed, nGreen, nBlue ) ); +if (!m_rRAS.good()) +mbStatus = false; +} +if ( x & 1 ) +{ +ImplGetByte(); // WORD ALIGNMENT ??? +if (!m_rRAS.good()) +mbStatus = false; } -if ( x & 1 ) ImplGetByte(); // WORD ALIGNMENT ??? -if (!m_rRAS.good()) -mbStatus = false; } break; case 32 : for (y = 0; y < mnHeight && mbStatus; ++y) { -for ( x = 0; x < mnWidth; x++ ) +for (x = 0; x < mnWidth && mbStatus; ++x) { nDat = ImplGetByte(); // pad byte > nil if ( mnType == RAS_TYPE_RGB_FORMAT ) @@ -298,9 +315,9 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) nRed = ImplGetByte(); }
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/met/fail/hang-2.met |binary filter/source/graphicfilter/ios2met/ios2met.cxx | 25 ++-- 2 files changed, 19 insertions(+), 6 deletions(-) New commits: commit 8e430e2f2acf573d7d23fe65bfd5e70a04706608 Author: Caolán McNamaraDate: Mon Aug 31 11:11:27 2015 +0100 check for legal field sizes before reading Change-Id: I3cdb647e1a057be5bb4b32d119ee5bcbbedf7473 (cherry picked from commit ad6d83defb33c414885ce6d4bfa85571d463f3c3) Reviewed-on: https://gerrit.libreoffice.org/18169 Reviewed-by: Miklos Vajna Tested-by: Miklos Vajna diff --git a/filter/qa/cppunit/data/met/fail/hang-2.met b/filter/qa/cppunit/data/met/fail/hang-2.met new file mode 100644 index 000..e807d58 Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/hang-2.met differ diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx index 2ff00f6..c153262 100644 --- a/filter/source/graphicfilter/ios2met/ios2met.cxx +++ b/filter/source/graphicfilter/ios2met/ios2met.cxx @@ -2660,21 +2660,34 @@ void OS2METReader::ReadOS2MET( SvStream & rStreamOS2MET, GDIMetaFile & rGDIMetaF pOS2MET->ReadUInt16(nFieldType); pOS2MET->SeekRel(3); -nPos+=8; nFieldSize-=8; -if (pOS2MET->GetError()) break; -if (pOS2MET->IsEof()) { +if (pOS2MET->GetError()) +break; + +if (nFieldType==EndDocumnMagic) +break; + +if (pOS2MET->IsEof() || nFieldSize < 8) +{ pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR); ErrorCode=8; break; } -if (nFieldType==EndDocumnMagic) break; +nPos+=8; nFieldSize-=8; + +if (nFieldSize > pOS2MET->remainingSize()) +{ +pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR); +ErrorCode=8; +break; +} ReadField(nFieldType, nFieldSize); +nPos += nFieldSize; -nPos+=(sal_uLong)nFieldSize; -if (pOS2MET->Tell()>nPos) { +if (pOS2MET->Tell() > nPos) +{ pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR); ErrorCode=9; break; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/pict/fail/hang-1.pct |binary filter/source/graphicfilter/ipict/ipict.cxx | 10 ++ 2 files changed, 6 insertions(+), 4 deletions(-) New commits: commit 508125f9e77c0ef2c5a49a1a4cd08d60ad63492c Author: Caolán McNamaraDate: Mon Aug 31 09:55:37 2015 +0100 check stream status Change-Id: I65ed5979d35d8739367294a71620782b832cfd71 (cherry picked from commit a8fe085f973b4ccf846fe231af0fa25eda59911e) Reviewed-on: https://gerrit.libreoffice.org/18160 Tested-by: Jenkins Reviewed-by: Miklos Vajna diff --git a/filter/qa/cppunit/data/pict/fail/hang-1.pct b/filter/qa/cppunit/data/pict/fail/hang-1.pct new file mode 100644 index 000..735ce0a Binary files /dev/null and b/filter/qa/cppunit/data/pict/fail/hang-1.pct differ diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx index 53f4c3a..0ceb4dd 100644 --- a/filter/source/graphicfilter/ipict/ipict.cxx +++ b/filter/source/graphicfilter/ipict/ipict.cxx @@ -824,8 +824,7 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap , bool bBaseAddr, bool bColo // read and write Bitmap bits: if ( nPixelSize == 1 || nPixelSize == 2 || nPixelSize == 4 || nPixelSize == 8 ) { -sal_uInt8 nByteCountAsByte, nFlagCounterByte; -sal_uInt16 nByteCount, nSrcBPL, nDestBPL; +sal_uInt16 nSrcBPL, nDestBPL; size_t nCount; if ( nPixelSize == 1 ) nSrcBPL = ( nWidth + 7 ) >> 3; @@ -851,6 +850,7 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap , bool bBaseAddr, bool bColo } else { +sal_uInt16 nByteCount(0); if ( nRowBytes > 250 ) { pPict->ReadUInt16( nByteCount ); @@ -858,14 +858,16 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap , bool bBaseAddr, bool bColo } else { +sal_uInt8 nByteCountAsByte(0); pPict->ReadUChar( nByteCountAsByte ); nByteCount = ( (sal_uInt16)nByteCountAsByte ) & 0x00ff; nDataSize += 1 + (sal_uLong)nByteCount; } -while ( nByteCount ) +while (pPict->good() && nByteCount) { -pPict->ReadUChar( nFlagCounterByte ); +sal_uInt8 nFlagCounterByte(0); +pPict->ReadUChar(nFlagCounterByte); if ( ( nFlagCounterByte & 0x80 ) == 0 ) { nCount = ( (sal_uInt16)nFlagCounterByte ) + 1; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/hang-10.tiff |binary filter/source/graphicfilter/itiff/lzwdecom.cxx | 12 2 files changed, 12 insertions(+) New commits: commit aed68b0c79b4edac79d18a7c273ab1bf21665614 Author: Caolán McNamara caol...@redhat.com Date: Mon Aug 24 15:31:41 2015 +0100 detect and reject loop in tif Change-Id: I77d315fa432a3eb1a65539489a2ba6da8508b283 (cherry picked from commit 6b82437dca30eba0f0c9dde6fdc84cb8f7740f8f) Reviewed-on: https://gerrit.libreoffice.org/17957 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/hang-10.tiff b/filter/qa/cppunit/data/tiff/fail/hang-10.tiff new file mode 100644 index 000..e5e9ebc Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-10.tiff differ diff --git a/filter/source/graphicfilter/itiff/lzwdecom.cxx b/filter/source/graphicfilter/itiff/lzwdecom.cxx index 82f6acc..5fb7514 100644 --- a/filter/source/graphicfilter/itiff/lzwdecom.cxx +++ b/filter/source/graphicfilter/itiff/lzwdecom.cxx @@ -19,6 +19,8 @@ #include lzwdecom.hxx +#include algorithm +#include vector #define MAX_TABLE_SIZE 4096 @@ -161,8 +163,18 @@ void LZWDecompressor::AddToTable(sal_uInt16 nPrevCode, sal_uInt16 nCodeFirstData return; } +std::vectorsal_uInt16 aSeenIndexes; while (pTable[nCodeFirstData].nDataCount1) +{ +if (std::find(aSeenIndexes.begin(), aSeenIndexes.end(), nCodeFirstData) != aSeenIndexes.end()) +{ +SAL_WARN(filter.tiff, Loop in chain); +bEOIFound = true; +return; +} +aSeenIndexes.push_back(nCodeFirstData); nCodeFirstData=pTable[nCodeFirstData].nPrevCode; +} pTable[nTableSize].nPrevCode=nPrevCode; pTable[nTableSize].nDataCount=pTable[nPrevCode].nDataCount+1; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/pbm/fail/crash-1.pbm |6 ++ filter/source/graphicfilter/ipbm/ipbm.cxx | 11 ++- 2 files changed, 12 insertions(+), 5 deletions(-) New commits: commit 25418bf4997e3f1b31e0da87ee0947ad9c8da2ce Author: Caolán McNamara caol...@redhat.com Date: Mon Aug 24 20:43:37 2015 +0100 in reality we are limited to max sal_Int32 here so accept that and test if the values were accepted or limited Change-Id: Iaed5ebc2f12b52055506147c71117a2ad88d28ac (cherry picked from commit 0a76c1fd6875bd094ebe2bfbed3d01c98dc0c19e) Reviewed-on: https://gerrit.libreoffice.org/17972 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/pbm/fail/crash-1.pbm b/filter/qa/cppunit/data/pbm/fail/crash-1.pbm new file mode 100644 index 000..9ddcddf --- /dev/null +++ b/filter/qa/cppunit/data/pbm/fail/crash-1.pbm @@ -0,0 +1,6 @@ +P3 +3000 1 +255 +103 79 59 + 95 7P 55 + 87 67 51 diff --git a/filter/source/graphicfilter/ipbm/ipbm.cxx b/filter/source/graphicfilter/ipbm/ipbm.cxx index e545334..18b3249 100644 --- a/filter/source/graphicfilter/ipbm/ipbm.cxx +++ b/filter/source/graphicfilter/ipbm/ipbm.cxx @@ -37,7 +37,7 @@ private: sal_uLong mnMode; // 0-PBM, 1-PGM, 2-PPM Bitmap maBmp; BitmapWriteAccess* mpAcc; -sal_uLong mnWidth, mnHeight; // dimensions in pixel +sal_Int32 mnWidth, mnHeight; // dimensions in pixel sal_uLong mnCol; sal_uLong mnMaxVal; // max value in the missing comment boolImplReadBody(); @@ -83,7 +83,7 @@ bool PBMReader::ReadPBM(Graphic rGraphic ) if ( !( mbStatus = ImplReadHeader() ) ) return false; -if ( ( mnMaxVal == 0 ) || ( mnWidth == 0 ) || ( mnHeight == 0 ) ) +if ( ( mnMaxVal == 0 ) || ( mnWidth = 0 ) || ( mnHeight = 0 ) ) return false; // 0-PBM, 1-PGM, 2-PPM @@ -91,7 +91,8 @@ bool PBMReader::ReadPBM(Graphic rGraphic ) { case 0 : maBmp = Bitmap( Size( mnWidth, mnHeight ), 1 ); -if ( ( mpAcc = maBmp.AcquireWriteAccess() ) == 0 ) +mpAcc = maBmp.AcquireWriteAccess(); +if (!mpAcc || mpAcc-Width() != mnWidth || mpAcc-Height() != mnHeight) return false; mpAcc-SetPaletteEntryCount( 2 ); mpAcc-SetPaletteColor( 0, BitmapColor( 0xff, 0xff, 0xff ) ); @@ -242,8 +243,8 @@ bool PBMReader::ImplReadBody() boolbPara, bFinished = false; sal_uInt8 nDat = 0, nCount; sal_uLong nGrey, nRGB[3]; -sal_uLong nWidth = 0; -sal_uLong nHeight = 0; +sal_Int32 nWidth = 0; +sal_Int32 nHeight = 0; if ( mbRaw ) { ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/crash-7.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx |2 ++ 2 files changed, 2 insertions(+) New commits: commit 64bb6065a3ae74550a513426308f00b05365086b Author: Caolán McNamara caol...@redhat.com Date: Tue Jul 21 10:10:50 2015 +0100 reject invalid tiff dimensions Change-Id: I64e77f12cb016a7f4a9d21c732aaeaae7959da76 (cherry picked from commit 34d062147c16090fa42c27ac7960e3f5e3b65d2b) Reviewed-on: https://gerrit.libreoffice.org/17257 Reviewed-by: Adolfo Jayme Barrientos fit...@ubuntu.com Tested-by: Adolfo Jayme Barrientos fit...@ubuntu.com diff --git a/filter/qa/cppunit/data/tiff/fail/crash-7.tiff b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff new file mode 100644 index 000..0056f9d Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 180b1c3..c730e81 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -1330,6 +1330,8 @@ bool TIFFReader::ReadTIFF(SvStream rTIFF, Graphic rGraphic ) } if ( !nBitsPerSample || ( nBitsPerSample 32 ) ) bStatus = false; +if (nImageWidth 0 || nImageLength 0) +bStatus = false; if ( bStatus ) { if ( nMaxSampleValue == 0 ) ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/crash-1.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx | 54 +- 2 files changed, 27 insertions(+), 27 deletions(-) New commits: commit b52ba57efaa7f54391abec08b601e749963c711e Author: Caolán McNamara caol...@redhat.com Date: Sun Jul 19 21:09:25 2015 +0100 in reality we are limited to max sal_Int32 here so accept that and test if the values were accepted or limited Change-Id: I599cf8065a6f8786d380fdba03135857766770f3 (cherry picked from commit 80c591ea9c320fee9e975ac7b0e4e2df1bf5e447) Reviewed-on: https://gerrit.libreoffice.org/17197 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/crash-1.tiff b/filter/qa/cppunit/data/tiff/fail/crash-1.tiff new file mode 100644 index 000..4fa0bb9 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-1.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 4599af9..b18db6b 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -65,8 +65,8 @@ private: sal_uLong nNewSubFile; sal_uLong nSubFile; -sal_uLong nImageWidth;// picture width in pixels -sal_uLong nImageLength; // picture height in pixels +sal_Int32 nImageWidth;// picture width in pixels +sal_Int32 nImageLength; // picture height in pixels sal_uLong nBitsPerSample; // bits per pixel per layer sal_uLong nCompression; // kind of compression sal_uLong nPhotometricInterpretation; @@ -116,7 +116,7 @@ private: // Create the bitmap from the temporary bitmap pMap // and partly deletes pMap while doing this. -boolConvertScanline( sal_uLong nY ); +boolConvertScanline(sal_Int32 nY); // converts a Scanline to the Windows-BMP format bool HasAlphaChannel() const; @@ -537,13 +537,13 @@ bool TIFFReader::ReadMap() { if ( nCompression == 1 || nCompression == 32771 ) { -sal_uLong ny, np, nStrip, nStripBytesPerRow; +sal_uLong np, nStrip, nStripBytesPerRow; if ( nCompression == 1 ) nStripBytesPerRow = nBytesPerRow; else nStripBytesPerRow = ( nBytesPerRow + 1 ) 0xfffe; -for ( ny = 0; ny nImageLength; ny++ ) +for (sal_Int32 ny = 0; ny nImageLength; ++ny) { for ( np = 0; np nPlanes; np++ ) { @@ -561,7 +561,7 @@ bool TIFFReader::ReadMap() } else if ( nCompression == 2 || nCompression == 3 || nCompression == 4 ) { -sal_uLong ny, np, nStrip, nOptions; +sal_uLong np, nStrip, nOptions; if ( nCompression == 2 ) { nOptions = CCI_OPTION_BYTEALIGNROW; @@ -596,7 +596,7 @@ bool TIFFReader::ReadMap() aCCIDecom.StartDecompression( *pTIFF ); -for ( ny = 0; ny nImageLength; ny++ ) +for (sal_Int32 ny = 0; ny nImageLength; ++ny) { for ( np = 0; np nPlanes; np++ ) { @@ -622,13 +622,13 @@ bool TIFFReader::ReadMap() else if ( nCompression == 5 ) { LZWDecompressor aLZWDecom; -sal_uLong ny, np, nStrip; +sal_uLong np, nStrip; nStrip=0; if ( nStrip = nNumStripOffsets ) return false; pTIFF-Seek(pStripOffsets[nStrip]); aLZWDecom.StartDecompression(*pTIFF); -for ( ny = 0; ny nImageLength; ny++ ) +for (sal_Int32 ny = 0; ny nImageLength; ++ny) { for ( np = 0; np nPlanes; np++ ) { @@ -651,13 +651,13 @@ bool TIFFReader::ReadMap() } else if ( nCompression == 32773 ) { -sal_uLong nStrip,nRecCount,nRowBytesLeft,ny,np,i; +sal_uLong nStrip,nRecCount,nRowBytesLeft,np,i; sal_uInt8 * pdst; nStrip = 0; if ( nStrip = nNumStripOffsets ) return false; pTIFF-Seek(pStripOffsets[nStrip]); -for ( ny = 0; ny nImageLength; ny++ ) +for (sal_Int32 ny = 0; ny nImageLength; ++ny) { for ( np = 0; np nPlanes; np++ ) { @@ -771,9 +771,9 @@ sal_uLong TIFFReader::GetBits( const sal_uInt8 * pSrc, sal_uLong nBitsPos, sal_u -bool TIFFReader::ConvertScanline( sal_uLong nY ) +bool TIFFReader::ConvertScanline(sal_Int32 nY) { -sal_uInt32 nRed, nGreen, nBlue, ns, nx, nVal, nByteCount; +sal_uInt32 nRed, nGreen, nBlue, ns, nVal, nByteCount; sal_uInt8 nByteVal; if ( nDstBitsPerPixel == 24 ) @@ -790,7 +790,7 @@ bool TIFFReader::ConvertScanline( sal_uLong nY ) sal_uInt8 nLGreen = 0;
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/crash-2.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx |2 ++ 2 files changed, 2 insertions(+) New commits: commit fc3ba0cdd424e1ae2852ad9809b49a5e6e55b2f5 Author: Caolán McNamara caol...@redhat.com Date: Sun Jul 19 21:25:46 2015 +0100 check np bounds Change-Id: Id16ae9325f3c67792941b9c88d83435aa98282ca (cherry picked from commit be4e1141be7cd54cf5362d3de534050db5505437) Reviewed-on: https://gerrit.libreoffice.org/17199 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/crash-2.tiff b/filter/qa/cppunit/data/tiff/fail/crash-2.tiff new file mode 100644 index 000..aadd99f Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-2.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 834c437..4599af9 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -608,6 +608,8 @@ bool TIFFReader::ReadMap() pTIFF-Seek( pStripOffsets[ nStrip ] ); aCCIDecom.StartDecompression( *pTIFF ); } +if (np = SAL_N_ELEMENTS(pMap)) +return false; if ( !aCCIDecom.DecompressScanline( pMap[ np ], nImageWidth * nBitsPerSample * nSamplesPerPixel / nPlanes, np + 1 == nPlanes ) ) return false; if ( pTIFF-GetError() ) ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/crash-3.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx |2 ++ 2 files changed, 2 insertions(+) New commits: commit e9be8b2425eb8e013e43ef7e730a05df5e4efae9 Author: Caolán McNamara caol...@redhat.com Date: Sun Jul 19 21:32:05 2015 +0100 check np bounds again Change-Id: I0fb61954b2eaf0c015d7bdefe9f03bd459b31501 (cherry picked from commit fcdddbd30a8b5cf6a5cc4d2ff28b7d4a20f8ec6b) Reviewed-on: https://gerrit.libreoffice.org/17201 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/crash-3.tiff b/filter/qa/cppunit/data/tiff/fail/crash-3.tiff new file mode 100644 index 000..4aa2393 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-3.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index aed15f6..834c437 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -638,6 +638,8 @@ bool TIFFReader::ReadMap() pTIFF-Seek(pStripOffsets[nStrip]); aLZWDecom.StartDecompression(*pTIFF); } +if (np = SAL_N_ELEMENTS(pMap)) +return false; if ( ( aLZWDecom.Decompress( pMap[ np ], nBytesPerRow ) != nBytesPerRow ) || pTIFF-GetError() ) return false; } ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/crash-4.tiff |binary filter/source/graphicfilter/itiff/ccidecom.cxx |9 ++--- 2 files changed, 2 insertions(+), 7 deletions(-) New commits: commit 1aac166075ef5a3183474449ae7d0fa3f7cf82b6 Author: Caolán McNamara caol...@redhat.com Date: Mon Jul 20 08:35:26 2015 +0100 reduce scope, etc, don't loop endlessly Change-Id: I86e4e94392527b5faf5d9cdb4251853f35813f4e (cherry picked from commit 5d32a4ac5c166264c2d44e8df625eb768eb42fbe) Reviewed-on: https://gerrit.libreoffice.org/17204 Tested-by: Jenkins c...@libreoffice.org Reviewed-by: Michael Meeks michael.me...@collabora.com Tested-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/tiff/fail/crash-4.tiff b/filter/qa/cppunit/data/tiff/fail/crash-4.tiff new file mode 100644 index 000..ef0fe27 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-4.tiff differ diff --git a/filter/source/graphicfilter/itiff/ccidecom.cxx b/filter/source/graphicfilter/itiff/ccidecom.cxx index f7eed81..2477542 100644 --- a/filter/source/graphicfilter/itiff/ccidecom.cxx +++ b/filter/source/graphicfilter/itiff/ccidecom.cxx @@ -628,8 +628,6 @@ void CCIDecompressor::StartDecompression( SvStream rIStream ) bool CCIDecompressor::DecompressScanline( sal_uInt8 * pTarget, sal_uLong nTargetBits, bool bLastLine ) { -sal_uInt16 i; -sal_uInt8 * pDst; bool b2D; if ( nEOLCount = 5 ) // RTC (Return To Controller) @@ -678,8 +676,7 @@ bool CCIDecompressor::DecompressScanline( sal_uInt8 * pTarget, sal_uLong nTarget delete[] pLastLine; nLastLineSize = ( nTargetBits + 7 ) 3; pLastLine = new sal_uInt8[ nLastLineSize ]; -pDst = pLastLine; -for ( i = 0; i nLastLineSize; i++ ) *( pDst++ ) = 0x00; +memset(pLastLine, 0, nLastLineSize); } } // conditionally align start of line to next byte: @@ -706,9 +703,7 @@ bool CCIDecompressor::DecompressScanline( sal_uInt8 * pTarget, sal_uLong nTarget // if we're in 2D mode we have to remember the line: if ( nOptions CCI_OPTION_2D bStatus ) { -sal_uInt8 *pSrc = pTarget; -pDst = pLastLine; -for ( i = 0; i nLastLineSize; i++ ) *(pDst++)=*(pSrc++); +memcpy(pLastLine, pTarget, nLastLineSize); } // #i122984# ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/crash-6.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx |2 ++ 2 files changed, 2 insertions(+) New commits: commit 4b96ee2d118c7d59408f361390158b7c8375cbf8 Author: Caolán McNamara caol...@redhat.com Date: Mon Jul 20 09:24:48 2015 +0100 final check np bounds Change-Id: I9213bb2cc059e05e286598edac03bd72c84db876 (cherry picked from commit dcbbe7741a08f6076f9e020f90cbb730c1edafb9) Reviewed-on: https://gerrit.libreoffice.org/17212 Reviewed-by: Michael Meeks michael.me...@collabora.com Tested-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/tiff/fail/crash-6.tiff b/filter/qa/cppunit/data/tiff/fail/crash-6.tiff new file mode 100644 index 000..907b510 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-6.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 7a5d487..4fa050d 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -551,6 +551,8 @@ bool TIFFReader::ReadMap() if ( nStrip = nNumStripOffsets ) return false; pTIFF-Seek( pStripOffsets[ nStrip ] + ( ny % GetRowsPerStrip() ) * nStripBytesPerRow ); +if (np = SAL_N_ELEMENTS(pMap)) +return false; pTIFF-Read( pMap[ np ], nBytesPerRow ); if ( pTIFF-GetError() ) return false; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/crash-5.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx |2 ++ 2 files changed, 2 insertions(+) New commits: commit 429f6b5183fa39751d949431e16bd6f4163bf78c Author: Caolán McNamara caol...@redhat.com Date: Mon Jul 20 08:50:27 2015 +0100 check np bounds yet again Change-Id: Id3f6fdc0ebed9711acec5d71f404e7a6072b765c (cherry picked from commit bca4d6f896fb12ceff37476c43ea8892898dd385) Reviewed-on: https://gerrit.libreoffice.org/17207 Reviewed-by: Michael Meeks michael.me...@collabora.com Tested-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/tiff/fail/crash-5.tiff b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff new file mode 100644 index 000..4849edf Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index b18db6b..7a5d487 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -669,6 +669,8 @@ bool TIFFReader::ReadMap() pTIFF-Seek(pStripOffsets[nStrip]); } nRowBytesLeft = nBytesPerRow; +if (np = SAL_N_ELEMENTS(pMap)) +return false; pdst=pMap[ np ]; do { ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/hang-5.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx |7 +-- 2 files changed, 5 insertions(+), 2 deletions(-) New commits: commit 17b1467a30895b08317f7be2079620a4d057b4b4 Author: Caolán McNamara caol...@redhat.com Date: Mon Jul 20 09:20:33 2015 +0100 test that nNumStripByteCounts value is within bounds of file Change-Id: If119628d7f510a7db30ed2180111063781cde887 (cherry picked from commit 33d43205c341e0cce36b6a1b3082c3927490cbde) Reviewed-on: https://gerrit.libreoffice.org/17210 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/hang-5.tiff b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff new file mode 100644 index 000..f1be3fa Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 4fa050d..f0c5d1e 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -422,14 +422,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, sal_uInt32 nDataLen) nNumStripByteCounts = 0; // to be on the safe side nOldNumSBC = nNumStripByteCounts; nDataLen += nOldNumSBC; -if ( ( nDataLen nOldNumSBC ) ( nDataLen SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) ) +size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32); +size_t nMaxRecordsAvailable = pTIFF-remainingSize() / DataTypeSize(); +if (nDataLen nOldNumSBC nDataLen nMaxAllocAllowed +(nDataLen - nOldNumSBC) = nMaxRecordsAvailable) { nNumStripByteCounts = nDataLen; try { pStripByteCounts = new sal_uLong[ nNumStripByteCounts ]; } -catch (const std::bad_alloc ) +catch (const std::bad_alloc ) { pStripByteCounts = NULL; nNumStripByteCounts = 0; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/pict/pass/tdf92789.pct |binary filter/source/graphicfilter/ipict/ipict.cxx | 62 ++ 2 files changed, 25 insertions(+), 37 deletions(-) New commits: commit cdb14f5b40ec3da72ccd2a0258745b899b5fee62 Author: osnola alo...@loria.fr Date: Mon Jul 20 08:49:59 2015 +0200 tdf92789 fix reading of some PICT images (cherry picked from commit 5fa73031aa42b62ccd167f193376565df2e635fc) Conflicts: filter/source/graphicfilter/ipict/ipict.cxx add a test image (cherry picked from commit 3f0677b86f4831b011a2baece85cf93c68646cd5) Change-Id: I6809ef52c462958eed2329fe2d32b5cbc691194c Reviewed-on: https://gerrit.libreoffice.org/17203 Tested-by: Jenkins c...@libreoffice.org Reviewed-by: Caolán McNamara caol...@redhat.com Tested-by: Caolán McNamara caol...@redhat.com diff --git a/filter/qa/cppunit/data/pict/pass/tdf92789.pct b/filter/qa/cppunit/data/pict/pass/tdf92789.pct new file mode 100644 index 000..2d6f0d8 Binary files /dev/null and b/filter/qa/cppunit/data/pict/pass/tdf92789.pct differ diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx index 4f0c39b..53f4c3a 100644 --- a/filter/source/graphicfilter/ipict/ipict.cxx +++ b/filter/source/graphicfilter/ipict/ipict.cxx @@ -879,7 +879,7 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap rBitmap, bool bBaseAddr, bool bColo } else { -nCount = static_castsal_uInt16( 1 - ( ( (sal_uInt16)nFlagCounterByte ) | 0xff00 ) ); +nCount = static_castsal_uInt16( 1 - sal_Int16( ( (sal_uInt16)nFlagCounterByte ) | 0xff00 ) ); pPict-ReadUChar( nDat ); for ( i = 0; i nCount; i++ ) { @@ -901,21 +901,10 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap rBitmap, bool bBaseAddr, bool bColo if (nWidth nRowBytes / 2) BITMAPERROR; -size_t nMinRecordSize; -if ( nRowBytes 8 || nPackType == 1 ) -nMinRecordSize = sizeof(sal_uInt16); -else if ( nRowBytes 250 ) -nMinRecordSize = sizeof(sal_uInt16); -else -nMinRecordSize = 1; - -const size_t nMinRowWidth = nWidth * nMinRecordSize; -const size_t nMaxRows = pPict-remainingSize() / nMinRowWidth; -if (nHeight nMaxRows) -BITMAPERROR; -const size_t nMaxCols = pPict-remainingSize() / nHeight; -if (nWidth nMaxCols) -BITMAPERROR; +if ( nRowBytes 8 || nPackType == 1 ) { +if (pPict-remainingSize() sizeof(sal_uInt16) * nHeight * nWidth) +BITMAPERROR; +} for ( ny = 0; ny nHeight; ny++ ) { @@ -952,10 +941,17 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap rBitmap, bool bBaseAddr, bool bColo if ( (nFlagCounterByte 0x80) == 0) { nCount=((sal_uInt16)nFlagCounterByte)+1; -if ( nCount + nx nWidth) // SJ: the RLE decoding seems not to be correct here, -nCount = nWidth - nx; // I don't want to change this until I have a bugdoc for -for (i=0; inCount; i++)// this case. Have a look at 32bit, there I changed the -{ // encoding, so that it is used a straight forward array +if ( nCount + nx nWidth) +nCount = nWidth - nx; +if (pPict-remainingSize() sizeof(sal_uInt16) * nCount) +BITMAPERROR; +/* SJ: the RLE decoding seems not to be correct here, + I don't want to change this until I have a bugdoc for + this case. Have a look at 32bit, there I changed the + encoding, so that it is used a straight forward array + */ +for (i=0; inCount; i++) +{ pPict-ReadUInt16( nD ); nRed = (sal_uInt8)( nD 7 ); nGreen = (sal_uInt8)( nD 2 ); @@ -965,7 +961,9 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap rBitmap, bool bBaseAddr, bool bColo } else { -nCount=(1-(((sal_uInt16)nFlagCounterByte)|0xff00)); +if (pPict-remainingSize() sizeof(sal_uInt16)) +BITMAPERROR; + nCount=(1-sal_Int16(((sal_uInt16)nFlagCounterByte)|0xff00)); if ( nCount + nx nWidth ) nCount = nWidth - nx;
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/hang-6.tiff |binary filter/source/graphicfilter/itiff/ccidecom.cxx | 39 ++--- 2 files changed, 22 insertions(+), 17 deletions(-) New commits: commit 60ec59d671058d8996cd0edf683078aae34d96af Author: Caolán McNamara caol...@redhat.com Date: Mon Jul 20 10:06:59 2015 +0100 ensure loop ends eventually Change-Id: I318385286fcc27ffb2d938237d83e793564d2525 (cherry picked from commit c02e79874951ba86d926186e284612806d8bc0a3) Reviewed-on: https://gerrit.libreoffice.org/17214 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/hang-6.tiff b/filter/qa/cppunit/data/tiff/fail/hang-6.tiff new file mode 100644 index 000..4e6cc0e Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-6.tiff differ diff --git a/filter/source/graphicfilter/itiff/ccidecom.cxx b/filter/source/graphicfilter/itiff/ccidecom.cxx index 2477542..c1447b16 100644 --- a/filter/source/graphicfilter/itiff/ccidecom.cxx +++ b/filter/source/graphicfilter/itiff/ccidecom.cxx @@ -886,36 +886,41 @@ void CCIDecompressor::FillBits(sal_uInt8 * pTarget, sal_uInt16 nTargetBits, } } - sal_uInt16 CCIDecompressor::CountBits(const sal_uInt8 * pData, sal_uInt16 nDataSizeBits, sal_uInt16 nBitPos, sal_uInt8 nBlackOrWhite) { -sal_uInt16 nPos,nLo; -sal_uInt8 nData; - // here the number of bits belonging together is being counted // which all have the color nBlackOrWhite (0xff oder 0x00) // from the position nBitPos on - -nPos=nBitPos; -for (;;) { -if (nPos=nDataSizeBits) { +sal_uInt16 nPos = nBitPos; +for (;;) +{ +if (nPos=nDataSizeBits) +{ nPos=nDataSizeBits; break; } -nData=pData[nPos3]; -nLo=nPos 7; -if ( nLo==0 nData==nBlackOrWhite) nPos+=8; -else { -if ( ((nData^nBlackOrWhite) (0x80 nLo))!=0) break; -nPos++; +sal_uInt8 nData = pData[nPos3]; +sal_uInt16 nLo = nPos 7; +if (nLo==0 nData==nBlackOrWhite) +{ +//fail on overflow attempt +if (nPos SAL_MAX_UINT16-8) +return 0; +nPos+=8; +} +else +{ +if ( ((nData^nBlackOrWhite) (0x80 nLo))!=0) +break; +++nPos; } } -if (nPos=nBitPos) return 0; -else return nPos-nBitPos; +if (nPos=nBitPos) +return 0; +return nPos-nBitPos; } - void CCIDecompressor::Read1DScanlineData(sal_uInt8 * pTarget, sal_uInt16 nTargetBits) { sal_uInt16 nCode,nCodeBits,nDataBits,nTgtFreeByteBits; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/hang-7.tiff |binary filter/source/graphicfilter/itiff/ccidecom.cxx |5 - 2 files changed, 4 insertions(+), 1 deletion(-) New commits: commit 4df53f3d14048492375b5b9bfe17cca4f9452c68 Author: Caolán McNamara caol...@redhat.com Date: Mon Jul 20 11:20:45 2015 +0100 don't hang on a bad ReadCodeAndDecode Change-Id: I999012d428fa84e21fe9e9f851a016eacc96a686 (cherry picked from commit 6964f67d0dd44c8a3c68caf194075ba5c649bf4b) Reviewed-on: https://gerrit.libreoffice.org/17217 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/hang-7.tiff b/filter/qa/cppunit/data/tiff/fail/hang-7.tiff new file mode 100644 index 000..61a5f2d Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-7.tiff differ diff --git a/filter/source/graphicfilter/itiff/ccidecom.cxx b/filter/source/graphicfilter/itiff/ccidecom.cxx index c1447b16..5542cff 100644 --- a/filter/source/graphicfilter/itiff/ccidecom.cxx +++ b/filter/source/graphicfilter/itiff/ccidecom.cxx @@ -1026,11 +1026,14 @@ void CCIDecompressor::Read2DScanlineData(sal_uInt8 * pTarget, sal_uInt16 nTarget while (nBitPosnTargetBits bStatus) { n2DMode=ReadCodeAndDecode(p2DModeLookUp,10); -if (!bStatus) return; +if (!bStatus) +return; if (n2DMode==CCI2DMODE_UNCOMP) { for (;;) { nUncomp=ReadCodeAndDecode(pUncompLookUp,11); +if (!bStatus) +break; if ( nUncomp = CCIUNCOMP_4White_1Black ) { nRun=nUncomp-CCIUNCOMP_0White_1Black; FillBits(pTarget,nTargetBits,nBitPos,nRun,0x00); ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/hang-9.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx | 29 +-- 2 files changed, 19 insertions(+), 10 deletions(-) New commits: commit 6c40a461a2092e0fbb96b77ebaec7b028a02fd1e Author: Caolán McNamara caol...@redhat.com Date: Mon Jul 20 12:28:03 2015 +0100 bail if offsets are past eof Change-Id: I4a8e78231befff498894ec92a1f38af206e13129 (cherry picked from commit 97a0e7558b24792827d77217fb2d8b1106056963) Reviewed-on: https://gerrit.libreoffice.org/17232 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/hang-9.tiff b/filter/qa/cppunit/data/tiff/fail/hang-9.tiff new file mode 100644 index 000..ef314ab Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-9.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 769c57e..180b1c3 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -57,6 +57,7 @@ private: BitmapWriteAccess* pMaskAcc; sal_uLong nOrigPos; // start position in pTIFF +sal_uLong nEndOfFile; // end of file position in pTIFF sal_uInt16 nDataType; @@ -131,6 +132,7 @@ public: , pAlphaMask(NULL) , pMaskAcc(NULL) , nOrigPos(0) +, nEndOfFile(0) , nDataType(0) , bByteSwap(false) , nNewSubFile(0) @@ -540,7 +542,7 @@ bool TIFFReader::ReadMap() { if ( nCompression == 1 || nCompression == 32771 ) { -sal_uLong np, nStrip, nStripBytesPerRow; +sal_uLong nStrip, nStripBytesPerRow; if ( nCompression == 1 ) nStripBytesPerRow = nBytesPerRow; @@ -548,7 +550,7 @@ bool TIFFReader::ReadMap() nStripBytesPerRow = ( nBytesPerRow + 1 ) 0xfffe; for (sal_Int32 ny = 0; ny nImageLength; ++ny) { -for ( np = 0; np nPlanes; np++ ) +for (sal_uLong np = 0; np nPlanes; ++np) { nStrip = ny / GetRowsPerStrip() + np * nStripsPerPlane; if ( nStrip = nNumStripOffsets ) @@ -557,7 +559,7 @@ bool TIFFReader::ReadMap() if (np = SAL_N_ELEMENTS(pMap)) return false; pTIFF-Read( pMap[ np ], nBytesPerRow ); -if ( pTIFF-GetError() ) +if (!pTIFF-good()) return false; } if ( !ConvertScanline( ny ) ) @@ -566,7 +568,7 @@ bool TIFFReader::ReadMap() } else if ( nCompression == 2 || nCompression == 3 || nCompression == 4 ) { -sal_uLong np, nStrip, nOptions; +sal_uLong nStrip, nOptions; if ( nCompression == 2 ) { nOptions = CCI_OPTION_BYTEALIGNROW; @@ -595,6 +597,9 @@ bool TIFFReader::ReadMap() nStrip = 0; if ( nStrip = nNumStripOffsets ) return false; +sal_uLong nOffset = pStripOffsets[nStrip]; +if (nOffset nEndOfFile) +return false; pTIFF-Seek(pStripOffsets[nStrip]); CCIDecompressor aCCIDecom( nOptions, nImageWidth ); @@ -603,14 +608,17 @@ bool TIFFReader::ReadMap() for (sal_Int32 ny = 0; ny nImageLength; ++ny) { -for ( np = 0; np nPlanes; np++ ) +for (sal_uLong np = 0; np nPlanes; np++ ) { if ( ny / GetRowsPerStrip() + np * nStripsPerPlane nStrip ) { nStrip=ny/GetRowsPerStrip()+np*nStripsPerPlane; if ( nStrip = nNumStripOffsets ) return false; -pTIFF-Seek( pStripOffsets[ nStrip ] ); +nOffset = pStripOffsets[nStrip]; +if (nOffset nEndOfFile) +return false; +pTIFF-Seek(nOffset); aCCIDecom.StartDecompression( *pTIFF ); } if (np = SAL_N_ELEMENTS(pMap)) @@ -627,7 +635,7 @@ bool TIFFReader::ReadMap() else if ( nCompression == 5 ) { LZWDecompressor aLZWDecom; -sal_uLong np, nStrip; +sal_uLong nStrip; nStrip=0; if ( nStrip = nNumStripOffsets ) return false; @@ -635,7 +643,7 @@ bool TIFFReader::ReadMap() aLZWDecom.StartDecompression(*pTIFF); for (sal_Int32 ny = 0; ny nImageLength; ++ny) { -for ( np = 0; np nPlanes; np++ ) +for (sal_uLong np = 0; np nPlanes; ++np) { if ( ny / GetRowsPerStrip() + np * nStripsPerPlane nStrip ) { @@ -656,7 +664,7 @@ bool TIFFReader::ReadMap() } else if ( nCompression == 32773 ) { -sal_uLong
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/hang-8.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx |6 -- 2 files changed, 4 insertions(+), 2 deletions(-) New commits: commit f8b78fb646dbea25fe1aff05e71b7c4cb2410552 Author: Caolán McNamara caol...@redhat.com Date: Mon Jul 20 11:40:34 2015 +0100 fail on short read Change-Id: I7215cf8d8b1e4a4156c87507018de3c2b7ed08d8 (cherry picked from commit 8eaef6b5217eecaa111c80e426bdf225481a71fb) Reviewed-on: https://gerrit.libreoffice.org/17219 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/hang-8.tiff b/filter/qa/cppunit/data/tiff/fail/hang-8.tiff new file mode 100644 index 000..c458597 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-8.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index f0c5d1e..769c57e 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -656,7 +656,7 @@ bool TIFFReader::ReadMap() } else if ( nCompression == 32773 ) { -sal_uLong nStrip,nRecCount,nRowBytesLeft,np,i; +sal_uLong nStrip,nRecCount,np,i; sal_uInt8 * pdst; nStrip = 0; if ( nStrip = nNumStripOffsets ) @@ -673,7 +673,7 @@ bool TIFFReader::ReadMap() return false; pTIFF-Seek(pStripOffsets[nStrip]); } -nRowBytesLeft = nBytesPerRow; +sal_uLong nRowBytesLeft = nBytesPerRow; if (np = SAL_N_ELEMENTS(pMap)) return false; pdst=pMap[ np ]; @@ -687,6 +687,8 @@ bool TIFFReader::ReadMap() if ( nRecCount nRowBytesLeft ) return false; pTIFF-Read(pdst,nRecCount); +if (!pTIFF-good()) +return false; pdst+=nRecCount; nRowBytesLeft-=nRecCount; } ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/hang-2.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx | 11 ++- 2 files changed, 10 insertions(+), 1 deletion(-) New commits: commit 85d5385ed47009782abbeaa538611a6367b61bb4 Author: Caolán McNamara caol...@redhat.com Date: Fri Jul 17 09:59:23 2015 +0100 detect another loop in tif format Change-Id: I950f751277d9080b4fc00c38f63453cce81bcc32 (cherry picked from commit 49bf2c6700d8f0fc9155ac2d06bf0a7bd84915d8) Reviewed-on: https://gerrit.libreoffice.org/17154 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/hang-2.tiff b/filter/qa/cppunit/data/tiff/fail/hang-2.tiff new file mode 100644 index 000..28ec8c0 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-2.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 9ae2a06..80c859c 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -1178,10 +1178,19 @@ bool TIFFReader::ReadTIFF(SvStream rTIFF, Graphic rGraphic ) { sal_uInt32 nOffset = nFirstIfd; +std::vectorsal_uInt32 aSeenOffsets; // calculate length of TIFF file do { -pTIFF-Seek( nOrigPos + nOffset ); +if (std::find(aSeenOffsets.begin(), aSeenOffsets.end(), nOffset) != aSeenOffsets.end()) +{ +SAL_WARN(filter.tiff, Parsing error: nOffset + already processed, format loop); +bStatus = false; +break; +} +pTIFF-Seek(nOrigPos + nOffset); +aSeenOffsets.push_back(nOffset); if( pTIFF-GetError() ) { ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/hang-1.tiff |binary filter/source/graphicfilter/itiff/itiff.cxx |7 +-- 2 files changed, 5 insertions(+), 2 deletions(-) New commits: commit 5681a8b41dd95fea324d4a9797fbe959e2022feb Author: Caolán McNamara caol...@redhat.com Date: Fri Jul 17 09:45:26 2015 +0100 test that nNumStripOffsets value is within bounds of file Change-Id: I1483ea3671420be5349692374641e10b344d (cherry picked from commit feedb957310fc3282ca47d5ffc1482dbb944a36e) Reviewed-on: https://gerrit.libreoffice.org/17151 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/hang-1.tiff b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff new file mode 100644 index 000..9cd2aa2 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 80c859c..aed15f6 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -373,14 +373,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, sal_uInt32 nDataLen) nNumStripOffsets = 0; nOldNumSO = nNumStripOffsets; nDataLen += nOldNumSO; -if ( ( nDataLen nOldNumSO ) ( nDataLen SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) ) +size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32); +size_t nMaxRecordsAvailable = pTIFF-remainingSize() / DataTypeSize(); +if (nDataLen nOldNumSO nDataLen nMaxAllocAllowed +(nDataLen - nOldNumSO) = nMaxRecordsAvailable) { nNumStripOffsets = nDataLen; try { pStripOffsets = new sal_uLong[ nNumStripOffsets ]; } -catch (const std::bad_alloc ) +catch (const std::bad_alloc ) { pStripOffsets = NULL; nNumStripOffsets = 0; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/pcx/fail/hang-1.pcx |binary filter/source/graphicfilter/ipcx/ipcx.cxx |4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) New commits: commit 26cd5af62fdeb650714f36c948784de1016591e4 Author: Caolán McNamara caol...@redhat.com Date: Fri Jul 17 10:11:34 2015 +0100 don't loop forever if pcx has short read Change-Id: I638792417924bcb8e48995f4e789f84a2cbf4757 (cherry picked from commit c9ba7a2a4d29af2542f31562cfdd64db2237aea8) Reviewed-on: https://gerrit.libreoffice.org/17157 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/pcx/fail/hang-1.pcx b/filter/qa/cppunit/data/pcx/fail/hang-1.pcx new file mode 100644 index 000..73798ea Binary files /dev/null and b/filter/qa/cppunit/data/pcx/fail/hang-1.pcx differ diff --git a/filter/source/graphicfilter/ipcx/ipcx.cxx b/filter/source/graphicfilter/ipcx/ipcx.cxx index 61b7fa6..8a5ddb3 100644 --- a/filter/source/graphicfilter/ipcx/ipcx.cxx +++ b/filter/source/graphicfilter/ipcx/ipcx.cxx @@ -224,7 +224,7 @@ void PCXReader::ImplReadBody(BitmapWriteAccess * pAcc) nCount = 0; for ( ny = 0; ny nHeight; ny++ ) { -if (m_rPCX.GetError() || m_rPCX.IsEof()) +if (!m_rPCX.good()) { nStatus = false; break; @@ -248,7 +248,7 @@ void PCXReader::ImplReadBody(BitmapWriteAccess * pAcc) nx--; nCount--; } -while ( nx 0 ) +while (nx 0 m_rPCX.good()) { m_rPCX.ReadUChar( nDat ); if ( ( nDat 0xc0 ) == 0xc0 ) ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/pict/fail/exception-1.pct |binary filter/source/graphicfilter/ipict/ipict.cxx |5 + 2 files changed, 5 insertions(+) New commits: commit e5aae767d634ba7efc8a5ecf2889678176babeb8 Author: Caolán McNamara caol...@redhat.com Date: Thu Jul 16 10:01:24 2015 +0100 exception on div by 0 Change-Id: Id33d6a5e3df5812babd28ebfc65b95ce97219ad3 (cherry picked from commit cf4159e16c13a13d0bedccebb50bb08f1662bc1c) Reviewed-on: https://gerrit.libreoffice.org/17121 Tested-by: Jenkins c...@libreoffice.org Reviewed-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/pict/fail/exception-1.pct b/filter/qa/cppunit/data/pict/fail/exception-1.pct new file mode 100644 index 000..f9cd85a Binary files /dev/null and b/filter/qa/cppunit/data/pict/fail/exception-1.pct differ diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx index 6621edd..4f0c39b 100644 --- a/filter/source/graphicfilter/ipict/ipict.cxx +++ b/filter/source/graphicfilter/ipict/ipict.cxx @@ -1859,6 +1859,7 @@ sal_uLong PictReader::ReadData(sal_uInt16 nOpcode) void PictReader::ReadPict( SvStream rStreamPict, GDIMetaFile rGDIMetaFile ) { +try { sal_uInt16 nOpcode; sal_uInt8 nOneByteOpcode; sal_uLong nSize, nPercent, nLastPercent; @@ -1950,6 +1951,10 @@ void PictReader::ReadPict( SvStream rStreamPict, GDIMetaFile rGDIMetaFile ) pPict-SetEndian(nOrigNumberFormat); if (pPict-GetError()) pPict-Seek(nOrigPos); +} catch (...) +{ +rStreamPict.SetError(SVSTREAM_FILEFORMAT_ERROR); +} } namespace pict { ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/eps/fail/short-1.eps |binary filter/source/graphicfilter/ieps/ieps.cxx | 16 +--- 2 files changed, 9 insertions(+), 7 deletions(-) New commits: commit 0e5dbfa5f1213e0ae9b79f507ac78e99e35417aa Author: Caolán McNamara caol...@redhat.com Date: Thu Jul 16 10:50:58 2015 +0100 min size of eps for a preview is 32 Change-Id: Icb82d9dd0a3918f2bdc4cb768c566774cd0d8ac4 (cherry picked from commit bf02304a0ea4771e01f39dd0032cbf276997ca00) Reviewed-on: https://gerrit.libreoffice.org/17132 Tested-by: Jenkins c...@libreoffice.org Reviewed-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/eps/fail/short-1.eps b/filter/qa/cppunit/data/eps/fail/short-1.eps new file mode 100644 index 000..4b38b78 Binary files /dev/null and b/filter/qa/cppunit/data/eps/fail/short-1.eps differ diff --git a/filter/source/graphicfilter/ieps/ieps.cxx b/filter/source/graphicfilter/ieps/ieps.cxx index 730dd80..dc26939 100644 --- a/filter/source/graphicfilter/ieps/ieps.cxx +++ b/filter/source/graphicfilter/ieps/ieps.cxx @@ -69,7 +69,7 @@ static sal_uInt8* ImplSearchEntry( sal_uInt8* pSource, sal_uInt8 const * pDest, // SecurityCount is the buffersize of the buffer in which we will parse for a number -static long ImplGetNumber( sal_uInt8 **pBuf, int nSecurityCount ) +static long ImplGetNumber( sal_uInt8 **pBuf, sal_uInt32 nSecurityCount ) { boolbValid = true; boolbNegative = false; @@ -502,7 +502,7 @@ void MakePreview(sal_uInt8* pBuf, sal_uInt32 nBytesRead, if ( pDest ) { pDest += 16; -int nCount = 4; +sal_uInt32 nCount = 4; long nNumber = ImplGetNumber( pDest, nCount ); if ( nCount ( (sal_uInt32)nNumber 10 ) ) { @@ -595,14 +595,16 @@ GraphicImport( SvStream rStream, Graphic rGraphic, FilterConfigItem* ) rStream.Seek( nPSStreamPos ); sal_uInt8* pBuf = new sal_uInt8[ nPSSize ]; -sal_uInt32 nBufStartPos = rStream.Tell(); -sal_uInt32 nBytesRead = rStream.Read( pBuf, nPSSize ); +sal_uInt32 nBufStartPos = rStream.Tell(); +sal_uInt32 nBytesRead = rStream.Read( pBuf, nPSSize ); if ( nBytesRead == nPSSize ) { -int nSecurityCount = 32; -if ( !bHasPreview ) // if there is no tiff/wmf preview, we will parse for an preview in the eps prolog +sal_uInt32 nSecurityCount = 32; +// if there is no tiff/wmf preview, we will parse for an preview in +// the eps prolog +if (!bHasPreview nBytesRead = nSecurityCount) { -sal_uInt8* pDest = ImplSearchEntry( pBuf, reinterpret_castsal_uInt8 const *(%%BeginPreview:), nBytesRead - 32, 15 ); +sal_uInt8* pDest = ImplSearchEntry( pBuf, reinterpret_castsal_uInt8 const *(%%BeginPreview:), nBytesRead - nSecurityCount, 15 ); if ( pDest ) { pDest += 15; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/tiff/fail/loop.tif |binary filter/source/graphicfilter/itiff/itiff.cxx | 12 +++- 2 files changed, 11 insertions(+), 1 deletion(-) New commits: commit 96aaf7114df2da0b7bdc86f5feef6137c7c1e44b Author: Caolán McNamara caol...@redhat.com Date: Fri Jul 17 09:23:17 2015 +0100 detect loop in tif format Change-Id: I27645566cd9fc0ac8cf753f0217ae6cf0fa9929e (cherry picked from commit 290465b0effecb6d620adc20ca279f8057eeab9a) Reviewed-on: https://gerrit.libreoffice.org/17149 Reviewed-by: David Tardon dtar...@redhat.com Tested-by: David Tardon dtar...@redhat.com diff --git a/filter/qa/cppunit/data/tiff/fail/loop.tif b/filter/qa/cppunit/data/tiff/fail/loop.tif new file mode 100644 index 000..6d8cee7 Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/loop.tif differ diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx index 84bff73..9ae2a06 100644 --- a/filter/source/graphicfilter/itiff/itiff.cxx +++ b/filter/source/graphicfilter/itiff/itiff.cxx @@ -1210,9 +1210,19 @@ bool TIFFReader::ReadTIFF(SvStream rTIFF, Graphic rGraphic ) } while( nOffset ); +std::vectorsal_uInt32 aSeenIfds; + for ( sal_uInt32 nNextIfd = nFirstIfd; nNextIfd bStatus; ) { -pTIFF-Seek( nOrigPos + nNextIfd ); +if (std::find(aSeenIfds.begin(), aSeenIfds.end(), nNextIfd) != aSeenIfds.end()) +{ +SAL_WARN(filter.tiff, Parsing error: nNextIfd + already processed, format loop); +bStatus = false; +break; +} +pTIFF-Seek(nOrigPos + nNextIfd); +aSeenIfds.push_back(nNextIfd); { bByteSwap = false; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/met/fail/crash-1.met |binary filter/source/graphicfilter/ios2met/ios2met.cxx |7 --- 2 files changed, 4 insertions(+), 3 deletions(-) New commits: commit e39e26533cba5be4445bdb39884bb1bc32083bbb Author: Caolán McNamara caol...@redhat.com Date: Wed Jul 15 12:25:35 2015 +0100 bump size type Change-Id: I2c32c253499a3efb22a3312ed1f0a608649ce124 (cherry picked from commit dc71a72753202d29544845cfd58992bac63c6837) Reviewed-on: https://gerrit.libreoffice.org/17088 Reviewed-by: Michael Meeks michael.me...@collabora.com Tested-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/met/fail/crash-1.met b/filter/qa/cppunit/data/met/fail/crash-1.met new file mode 100644 index 000..c46b4a9 Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/crash-1.met differ diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx index 7b024ae..944dab3 100644 --- a/filter/source/graphicfilter/ios2met/ios2met.cxx +++ b/filter/source/graphicfilter/ios2met/ios2met.cxx @@ -208,7 +208,7 @@ enum PenStyle { PEN_NULL, PEN_SOLID, PEN_DOT, PEN_DASH, PEN_DASHDOT }; struct OSPalette { OSPalette * pSucc; sal_uInt32 * p0RGB; // May be NULL! -sal_uInt16 nSize; +size_t nSize; }; struct OSArea { @@ -733,12 +733,13 @@ void OS2METReader::SetPalette0RGB(sal_uInt16 nIndex, sal_uLong nCol) } if (pPaletteStack-p0RGB==NULL || nIndex=pPaletteStack-nSize) { sal_uInt32 * pOld0RGB=pPaletteStack-p0RGB; -sal_uInt16 i,nOldSize=pPaletteStack-nSize; +size_t nOldSize = pPaletteStack-nSize; if (pOld0RGB==NULL) nOldSize=0; pPaletteStack-nSize=2*(nIndex+1); if (pPaletteStack-nSize256) pPaletteStack-nSize=256; pPaletteStack-p0RGB = new sal_uInt32[pPaletteStack-nSize]; -for (i=0; ipPaletteStack-nSize; i++) { +for (size_t i=0; i pPaletteStack-nSize; ++i) +{ if (inOldSize) pPaletteStack-p0RGB[i]=pOld0RGB[i]; else if (i==0) pPaletteStack-p0RGB[i]=0x00ff; else pPaletteStack-p0RGB[i]=0; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/met/pass/hang-2.met |binary filter/source/graphicfilter/ios2met/ios2met.cxx | 33 ++-- 2 files changed, 26 insertions(+), 7 deletions(-) New commits: commit fdc0b506538560e13127a44a7de817412c13035b Author: Caolán McNamara caol...@redhat.com Date: Wed Jul 15 12:59:55 2015 +0100 tools polygons limited to 16bit indexes Change-Id: Ib0f727a3681492c15b807ca159d8bf7675ee8f29 (cherry picked from commit 89857aacac98f0f8e5dca4718affec493951f904) WaE: C2220 Change-Id: Ibf9fa7ffc3beb237a470952c265fb1bce313a08a (cherry picked from commit 8547c336b3253d90daae1c79a2b1a57996a39102) Reviewed-on: https://gerrit.libreoffice.org/17091 Tested-by: Jenkins c...@libreoffice.org Reviewed-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/met/pass/hang-2.met b/filter/qa/cppunit/data/met/pass/hang-2.met new file mode 100644 index 000..84b432e Binary files /dev/null and b/filter/qa/cppunit/data/met/pass/hang-2.met differ diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx index 0553d1f..2ff00f6 100644 --- a/filter/source/graphicfilter/ios2met/ios2met.cxx +++ b/filter/source/graphicfilter/ios2met/ios2met.cxx @@ -1173,18 +1173,37 @@ void OS2METReader::ReadPartialArc(bool bGivenPos, sal_uInt16 nOrderSize) void OS2METReader::ReadPolygons() { -sal_uInt32 i,j,nNumPolys, nNumPoints; tools::PolyPolygon aPolyPoly; Polygon aPoly; Point aPoint; -sal_uInt8 nFlags; -pOS2MET-ReadUChar( nFlags ).ReadUInt32( nNumPolys ); -for (i=0; inNumPolys; i++) { -pOS2MET-ReadUInt32( nNumPoints ); -if (i==0) nNumPoints++; +sal_uInt8 nFlags(0); +sal_uInt32 nNumPolys(0); +pOS2MET-ReadUChar(nFlags).ReadUInt32(nNumPolys); + +if (nNumPolys SAL_MAX_UINT16) +{ +pOS2MET-SetError(SVSTREAM_FILEFORMAT_ERROR); +ErrorCode=11; +return; +} + +for (sal_uInt32 i=0; inNumPolys; ++i) +{ +sal_uInt32 nNumPoints(0); +pOS2MET-ReadUInt32(nNumPoints); +sal_uInt32 nLimit = SAL_MAX_UINT16; +if (i==0) --nLimit; +if (nNumPoints nLimit) +{ +pOS2MET-SetError(SVSTREAM_FILEFORMAT_ERROR); +ErrorCode=11; +return; +} +if (i==0) ++nNumPoints; aPoly.SetSize((short)nNumPoints); -for (j=0; jnNumPoints; j++) { +for (sal_uInt32 j=0; jnNumPoints; ++j) +{ if (i==0 j==0) aPoint=aAttr.aCurPos; else aPoint=ReadPoint(); aPoly.SetPoint(aPoint,(short)j); ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/pbm/fail/hang-1.pbm |binary filter/qa/cppunit/data/pbm/indeterminate/.gitignore |1 + filter/qa/cppunit/data/pbm/pass/rhbz160429-1.pbm|binary filter/qa/cppunit/filters-ppm-test.cxx |4 filter/source/graphicfilter/ipbm/ipbm.cxx |2 +- 5 files changed, 6 insertions(+), 1 deletion(-) New commits: commit c48004eb562a9c4b377cf31a09a04cb03abdc58e Author: Caolán McNamara caol...@redhat.com Date: Wed Jul 15 14:01:46 2015 +0100 avoid hang in short pbm Change-Id: I9b7f0832a4dc231e1e8f963858c155e3cd392667 (cherry picked from commit b8637e67d6d39e47d22cfce496000288f0dc58d8) Reviewed-on: https://gerrit.libreoffice.org/17083 Tested-by: Jenkins c...@libreoffice.org Reviewed-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/pbm/fail/.gitignore b/filter/qa/cppunit/data/pbm/fail/.gitignore new file mode 100644 index 000..e69de29 diff --git a/filter/qa/cppunit/data/pbm/fail/hang-1.pbm b/filter/qa/cppunit/data/pbm/fail/hang-1.pbm new file mode 100644 index 000..21742d2 Binary files /dev/null and b/filter/qa/cppunit/data/pbm/fail/hang-1.pbm differ diff --git a/filter/qa/cppunit/data/pbm/indeterminate/.gitignore b/filter/qa/cppunit/data/pbm/indeterminate/.gitignore new file mode 100644 index 000..e9c5b17 --- /dev/null +++ b/filter/qa/cppunit/data/pbm/indeterminate/.gitignore @@ -0,0 +1 @@ +*.ppm-* diff --git a/filter/qa/cppunit/data/pbm/pass/.gitignore b/filter/qa/cppunit/data/pbm/pass/.gitignore new file mode 100644 index 000..e69de29 diff --git a/filter/qa/cppunit/data/pbm/pass/rhbz160429-1.pbm b/filter/qa/cppunit/data/pbm/pass/rhbz160429-1.pbm new file mode 100644 index 000..d6e3fc6 Binary files /dev/null and b/filter/qa/cppunit/data/pbm/pass/rhbz160429-1.pbm differ diff --git a/filter/qa/cppunit/filters-ppm-test.cxx b/filter/qa/cppunit/filters-ppm-test.cxx index e98ce6f..10f2658 100644 --- a/filter/qa/cppunit/filters-ppm-test.cxx +++ b/filter/qa/cppunit/filters-ppm-test.cxx @@ -62,6 +62,10 @@ void PpmFilterTest::testCVEs() testDir(OUString(), getURLFromSrc(/filter/qa/cppunit/data/ppm/), OUString()); + +testDir(OUString(), +getURLFromSrc(/filter/qa/cppunit/data/pbm/), +OUString()); } CPPUNIT_TEST_SUITE_REGISTRATION(PpmFilterTest); diff --git a/filter/source/graphicfilter/ipbm/ipbm.cxx b/filter/source/graphicfilter/ipbm/ipbm.cxx index 248d4df..e545334 100644 --- a/filter/source/graphicfilter/ipbm/ipbm.cxx +++ b/filter/source/graphicfilter/ipbm/ipbm.cxx @@ -179,7 +179,7 @@ bool PBMReader::ImplReadHeader() } while ( !bFinished ) { -if ( mrPBM.GetError() ) +if (!mrPBM.good()) return false; mrPBM.ReadUChar( nDat ); ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/met/fail/hang-1.met |binary filter/source/graphicfilter/ios2met/ios2met.cxx | 12 +--- 2 files changed, 9 insertions(+), 3 deletions(-) New commits: commit 66744837834e86ea0b7227a704cd0f82f8bdc223 Author: Caolán McNamara caol...@redhat.com Date: Wed Jul 15 12:18:10 2015 +0100 don't hang with 0 len causing no progression Change-Id: Ie553dab291c7bfbde033d89b84159aff6b42a160 (cherry picked from commit 15dfcb7f461893f83abcf28bfe01a4164209a160) Reviewed-on: https://gerrit.libreoffice.org/17084 Reviewed-by: Michael Meeks michael.me...@collabora.com Tested-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/met/fail/hang-1.met b/filter/qa/cppunit/data/met/fail/hang-1.met new file mode 100644 index 000..c1a095d Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/hang-1.met differ diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx index 944dab3..0553d1f 100644 --- a/filter/source/graphicfilter/ios2met/ios2met.cxx +++ b/filter/source/graphicfilter/ios2met/ios2met.cxx @@ -2240,7 +2240,6 @@ void OS2METReader::ReadImageData(sal_uInt16 nDataID, sal_uInt16 nDataLen) void OS2METReader::ReadFont(sal_uInt16 nFieldSize) { sal_uLong nPos, nMaxPos; -sal_uInt16 nLen; sal_uInt8 nByte, nTripType, nTripType2; OSFont * pF=new OSFont; pF-pSucc=pFontList; pFontList=pF; @@ -2252,7 +2251,13 @@ void OS2METReader::ReadFont(sal_uInt16 nFieldSize) nMaxPos=nPos+(sal_uLong)nFieldSize; pOS2MET-SeekRel(2); nPos+=2; while (nPosnMaxPos pOS2MET-GetError()==0) { -pOS2MET-ReadUChar( nByte ); nLen =((sal_uInt16)nByte) 0x00ff; +pOS2MET-ReadUChar( nByte ); +sal_uInt16 nLen = ((sal_uInt16)nByte) 0x00ff; +if (nLen == 0) +{ +pOS2MET-SetError(SVSTREAM_FILEFORMAT_ERROR); +ErrorCode=4; +} pOS2MET-ReadUChar( nTripType ); switch (nTripType) { case 0x02: @@ -2304,7 +2309,8 @@ void OS2METReader::ReadFont(sal_uInt16 nFieldSize) break; } } -nPos+=nLen; pOS2MET-Seek(nPos); +nPos+=nLen; +pOS2MET-Seek(nPos); } } ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
dev/null|binary filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras |binary filter/source/graphicfilter/iras/iras.cxx | 24 +++- 3 files changed, 14 insertions(+), 10 deletions(-) New commits: commit a1fb6c1344f7e21ff6c8bf24c14e729c7ce69c71 Author: Caolán McNamara caol...@redhat.com Date: Wed Jul 15 11:31:18 2015 +0100 check stream state more often for failures Change-Id: Ie45d858021c3123ec21829cbf4742cf30ce46665 (cherry picked from commit adfa89b5ffc3589b3a19a32e707a134cee232429) Reviewed-on: https://gerrit.libreoffice.org/17071 Tested-by: Jenkins c...@libreoffice.org Reviewed-by: Michael Meeks michael.me...@collabora.com Tested-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/ras/pass/CVE-2008-1097-1.ras b/filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras similarity index 100% rename from filter/qa/cppunit/data/ras/pass/CVE-2008-1097-1.ras rename to filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras diff --git a/filter/source/graphicfilter/iras/iras.cxx b/filter/source/graphicfilter/iras/iras.cxx index 6916daa..5877fa2 100644 --- a/filter/source/graphicfilter/iras/iras.cxx +++ b/filter/source/graphicfilter/iras/iras.cxx @@ -54,7 +54,7 @@ private: boolImplReadBody(BitmapWriteAccess * pAcc); boolImplReadHeader(); -sal_uInt8 ImplGetByte(); +sal_uInt8 ImplGetByte(); public: RASReader(SvStream rRAS); @@ -174,13 +174,11 @@ bool RASReader::ReadRAS(Graphic rGraphic) return mbStatus; } - - bool RASReader::ImplReadHeader() { m_rRAS.ReadInt32(mnWidth).ReadInt32(mnHeight).ReadInt32(mnDepth).ReadInt32(mnImageDatSize).ReadInt32(mnType).ReadInt32(mnColorMapType).ReadInt32(mnColorMapSize); -if ( mnWidth = 0 || mnHeight = 0 || mnImageDatSize = 0 ) +if (mnWidth = 0 || mnHeight = 0 || mnImageDatSize = 0 || !m_rRAS.good()) mbStatus = false; switch ( mnDepth ) @@ -222,7 +220,7 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) switch ( mnDstBitsPerPix ) { case 1 : -for ( y = 0; y mnHeight; y++ ) +for (y = 0; y mnHeight mbStatus; ++y) { for ( x = 0; x mnWidth; x++ ) { @@ -233,11 +231,13 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) nDat ( ( x 7 ) ^ 7 )) ); } if (!( ( x - 1 ) 0x8 ) ) ImplGetByte(); // WORD ALIGNMENT ??? +if (!m_rRAS.good()) +mbStatus = false; } break; case 8 : -for ( y = 0; y mnHeight; y++ ) +for (y = 0; y mnHeight mbStatus; ++y) { for ( x = 0; x mnWidth; x++ ) { @@ -245,6 +245,8 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) pAcc-SetPixelIndex( y, x, nDat ); } if ( x 1 ) ImplGetByte(); // WORD ALIGNMENT ??? +if (!m_rRAS.good()) +mbStatus = false; } break; @@ -253,7 +255,7 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) { case 24 : -for ( y = 0; y mnHeight; y++ ) +for (y = 0; y mnHeight mbStatus; ++y) { for ( x = 0; x mnWidth; x++ ) { @@ -272,11 +274,13 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) pAcc-SetPixel ( y, x, BitmapColor( nRed, nGreen, nBlue ) ); } if ( x 1 ) ImplGetByte(); // WORD ALIGNMENT ??? +if (!m_rRAS.good()) +mbStatus = false; } break; case 32 : -for ( y = 0; y mnHeight; y++ ) +for (y = 0; y mnHeight mbStatus; ++y) { for ( x = 0; x mnWidth; x++ ) { @@ -295,6 +299,8 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) } pAcc-SetPixel ( y, x, BitmapColor( nRed, nGreen, nBlue ) ); } +if (!m_rRAS.good()) +mbStatus = false; } break; } @@ -307,8 +313,6 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) return mbStatus; } - - sal_uInt8 RASReader::ImplGetByte() { sal_uInt8 nRetVal; ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/dxf/fail/hang-1.dxf|1 filter/qa/cppunit/data/dxf/pass/pyramid.dxf |25008 ++ filter/source/graphicfilter/idxf/dxfgrprd.cxx |3 3 files changed, 25010 insertions(+), 2 deletions(-) New commits: commit e25cbe0c47d1fbd57bb83856a750a8748fdce6bc Author: Caolán McNamara caol...@redhat.com Date: Wed Jul 15 17:10:24 2015 +0100 don't hang if at end of stream Change-Id: I497a30041ec667237c2aa64963dcefb67753e87c (cherry picked from commit 5c8325325868753d2891556400c91651bce58402) Reviewed-on: https://gerrit.libreoffice.org/17116 Reviewed-by: Michael Meeks michael.me...@collabora.com Tested-by: Michael Meeks michael.me...@collabora.com diff --git a/filter/qa/cppunit/data/dxf/fail/hang-1.dxf b/filter/qa/cppunit/data/dxf/fail/hang-1.dxf new file mode 100644 index 000..d97edbb29 --- /dev/null +++ b/filter/qa/cppunit/data/dxf/fail/hang-1.dxf @@ -0,0 +1 @@ +99 \ No newline at end of file diff --git a/filter/qa/cppunit/data/dxf/pass/pyramid.dxf b/filter/qa/cppunit/data/dxf/pass/pyramid.dxf new file mode 100644 index 000..65cd5f83 --- /dev/null +++ b/filter/qa/cppunit/data/dxf/pass/pyramid.dxf @@ -0,0 +1,25008 @@ +0 +SECTION +2 +HEADER +9 +$ACADVER +1 +AC1014 +9 +$ACADMAINTVER +70 +8 +9 +$DWGCODEPAGE +3 +ANSI_1252 +9 +$INSBASE +10 +0.0 +20 +0.0 +30 +0.0 +9 +$EXTMIN +10 +1.00E+20 +20 +1.00E+20 +30 +1.00E+20 +9 +$EXTMAX +10 +-1.00E+20 +20 +-1.00E+20 +30 +-1.00E+20 +9 +$LIMMIN +10 +0.0 +20 +0.0 +9 +$LIMMAX +10 +12.0 +20 +9.0 +9 +$ORTHOMODE +70 +0 +9 +$REGENMODE +70 +1 +9 +$FILLMODE +70 +1 +9 +$QTEXTMODE +70 +0 +9 +$MIRRTEXT +70 +1 +9 +$DRAGMODE +70 +2 +9 +$LTSCALE +40 +1.0 +9 +$OSMODE +70 +0 +9 +$ATTMODE +70 +1 +9 +$TEXTSIZE +40 +0.2 +9 +$TRACEWID +40 +0.05 +9 +$TEXTSTYLE +7 +STANDARD +9 +$CLAYER +8 +0 +9 +$CELTYPE +6 +BYLAYER +9 +$CECOLOR +62 +256 +9 +$CELTSCALE +40 +1.0 +9 +$DELOBJ +70 +1 +9 +$DISPSILH +70 +0 +9 +$DIMSCALE +40 +1.0 +9 +$DIMASZ +40 +0.18 +9 +$DIMEXO +40 +0.0625 +9 +$DIMDLI +40 +0.38 +9 +$DIMRND +40 +0.0 +9 +$DIMDLE +40 +0.0 +9 +$DIMEXE +40 +0.18 +9 +$DIMTP +40 +0.0 +9 +$DIMTM +40 +0.0 +9 +$DIMTXT +40 +0.18 +9 +$DIMCEN +40 +0.09 +9 +$DIMTSZ +40 +0.0 +9 +$DIMTOL +70 +0 +9 +$DIMLIM +70 +0 +9 +$DIMTIH +70 +1 +9 +$DIMTOH +70 +1 +9 +$DIMSE1 +70 +0 +9 +$DIMSE2 +70 +0 +9 +$DIMTAD +70 +0 +9 +$DIMZIN +70 +0 +9 +$DIMBLK +1 + +9 +$DIMASO +70 +1 +9 +$DIMSHO +70 +1 +9 +$DIMPOST +1 + +9 +$DIMAPOST +1 + +9 +$DIMALT +70 +0 +9 +$DIMALTD +70 +2 +9 +$DIMALTF +40 +25.4 +9 +$DIMLFAC +40 +1.0 +9 +$DIMTOFL +70 +0 +9 +$DIMTVP +40 +0.0 +9 +$DIMTIX +70 +0 +9 +$DIMSOXD +70 +0 +9 +$DIMSAH +70 +0 +9 +$DIMBLK1 +1 + +9 +$DIMBLK2 +1 + +9 +$DIMSTYLE +2 +STANDARD +9 +$DIMCLRD +70 +0 +9 +$DIMCLRE +70 +0 +9 +$DIMCLRT +70 +0 +9 +$DIMTFAC +40 +1.0 +9 +$DIMGAP +40 +0.09 +9 +$DIMJUST +70 +0 +9 +$DIMSD1 +70 +0 +9 +$DIMSD2 +70 +0 +9 +$DIMTOLJ +70 +1 +9 +$DIMTZIN +70 +0 +9 +$DIMALTZ +70 +0 +9 +$DIMALTTZ +70 +0 +9 +$DIMFIT +70 +3 +9 +$DIMUPT +70 +0 +9 +$DIMUNIT +70 +2 +9 +$DIMDEC +70 +4 +9 +$DIMTDEC +70 +4 +9 +$DIMALTU +70 +2 +9 +$DIMALTTD +70 +2 +9 +$DIMTXSTY +7 +STANDARD +9 +$DIMAUNIT +70 +0 +9 +$LUNITS +70 +2 +9 +$LUPREC +70 +4 +9 +$SKETCHINC +40 +0.1 +9 +$FILLETRAD +40 +0.5 +9 +$AUNITS +70 +0 +9 +$AUPREC +70 +0 +9 +$MENU +1 +. +9 +$ELEVATION +40 +0.0 +9 +$PELEVATION +40 +0.0 +9 +$THICKNESS +40 +0.0 +9 +$LIMCHECK +70 +0 +9 +$BLIPMODE +70 +0 +9 +$CHAMFERA +40 +0.5 +9 +$CHAMFERB +40 +0.5 +9 +$CHAMFERC +40 +1.0 +9 +$CHAMFERD +40 +0.0 +9 +$SKPOLY +70 +1 +9 +$TDCREATE +40 +2451008.519973958 +9 +$TDUPDATE +40 +2451008.523538426 +9 +$TDINDWG +40 +0.002406 +9 +$TDUSRTIMER +40 +0.002406 +9 +$USRTIMER +70 +1 +9 +$ANGBASE +50 +0.0 +9 +$ANGDIR +70 +0 +9 +$PDMODE +70 +0 +9 +$PDSIZE +40 +0.0 +9 +$PLINEWID +40 +0.0 +9 +$COORDS +70 +1 +9 +$SPLFRAME +70 +0 +9 +$SPLINETYPE +70 +6 +9 +$SPLINESEGS +70 +8 +9 +$ATTDIA +70 +0 +9 +$ATTREQ +70 +1 +9 +$HANDLING +70 +1 +9 +$HANDSEED +5 +5B +9 +$SURFTAB1 +70 +6 +9 +$SURFTAB2 +70 +6 +9 +$SURFTYPE +70 +6 +9 +$SURFU +70 +6 +9 +$SURFV +70 +6 +9 +$UCSNAME +2 + +9 +$UCSORG +10 +0.0 +20 +0.0 +30 +0.0 +9 +$UCSXDIR +10 +1.0 +20 +0.0 +30 +0.0 +9 +$UCSYDIR +10 +0.0 +20 +1.0 +30 +0.0 +9 +$PUCSNAME +2 + +9 +$PUCSORG +10 +0.0 +20 +0.0 +30 +0.0 +9 +$PUCSXDIR +10 +1.0 +20 +0.0 +30 +0.0 +9 +$PUCSYDIR +10 +0.0 +20 +1.0 +30 +0.0 +9 +$USERI1 +70 +0 +9 +$USERI2 +70 +0 +9 +$USERI3 +70 +0 +9 +$USERI4 +70 +0 +9 +$USERI5 +70 +0 +9 +$USERR1 +40 +0.0 +9 +$USERR2 +40 +0.0 +9 +$USERR3 +40 +0.0 +9 +$USERR4 +40 +0.0 +9 +$USERR5 +40 +0.0 +9 +$WORLDVIEW +70 +1 +9 +$SHADEDGE +70 +3 +9 +$SHADEDIF +70 +70 +9 +$TILEMODE +70 +1 +9 +$MAXACTVP +70 +48 +9 +$PINSBASE +10 +0.0 +20 +0.0 +30 +0.0 +9 +$PLIMCHECK +70 +0 +9 +$PEXTMIN +10 +1.00E+20 +20 +1.00E+20 +30 +1.00E+20 +9 +$PEXTMAX +10 +-1.00E+20 +20 +-1.00E+20 +30 +-1.00E+20 +9 +$PLIMMIN +10 +0.0 +20 +0.0 +9 +$PLIMMAX +10 +12.0 +20 +9.0 +9 +$UNITMODE +70 +0 +9 +$VISRETAIN +70 +1 +9 +$PLINEGEN +70 +0 +9 +$PSLTSCALE +70 +1 +9 +$TREEDEPTH +70 +3020 +9
[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
filter/qa/cppunit/data/ras/fail/crash-1.ras |binary filter/source/graphicfilter/iras/iras.cxx | 18 +- 2 files changed, 9 insertions(+), 9 deletions(-) New commits: commit eb70bf3e486102205cf609fa4c879564745eff17 Author: Caolán McNamara caol...@redhat.com Date: Wed Jul 15 11:02:13 2015 +0100 file format documentation states these are signed Change-Id: Iaca58dda19d24a767333ff642759414951a03e6d (cherry picked from commit 8a60e78769ebf6fc73ddc8ed7e43991fcb30fff4) Reviewed-on: https://gerrit.libreoffice.org/17063 Reviewed-by: Michael Stahl mst...@redhat.com Tested-by: Michael Stahl mst...@redhat.com diff --git a/filter/qa/cppunit/data/ras/fail/crash-1.ras b/filter/qa/cppunit/data/ras/fail/crash-1.ras new file mode 100644 index 000..d1abbae Binary files /dev/null and b/filter/qa/cppunit/data/ras/fail/crash-1.ras differ diff --git a/filter/source/graphicfilter/iras/iras.cxx b/filter/source/graphicfilter/iras/iras.cxx index cca5bc8..6916daa 100644 --- a/filter/source/graphicfilter/iras/iras.cxx +++ b/filter/source/graphicfilter/iras/iras.cxx @@ -44,12 +44,12 @@ private: boolmbStatus; Bitmap maBmp; -sal_uInt32 mnWidth, mnHeight; // Bildausmass in Pixeln -sal_uInt16 mnDstBitsPerPix; -sal_uInt16 mnDstColors; -sal_uInt32 mnDepth, mnImageDatSize, mnType; -sal_uInt32 mnColorMapType, mnColorMapSize; -sal_uInt8 mnRepCount, mnRepVal; // RLE Decoding +sal_Int32 mnWidth, mnHeight; // Bildausmass in Pixeln +sal_uInt16 mnDstBitsPerPix; +sal_uInt16 mnDstColors; +sal_Int32 mnDepth, mnImageDatSize, mnType; +sal_Int32 mnColorMapType, mnColorMapSize; +sal_uInt8 mnRepCount, mnRepVal; // RLE Decoding boolmbPalette; boolImplReadBody(BitmapWriteAccess * pAcc); @@ -178,9 +178,9 @@ bool RASReader::ReadRAS(Graphic rGraphic) bool RASReader::ImplReadHeader() { -m_rRAS.ReadUInt32( mnWidth ).ReadUInt32( mnHeight ).ReadUInt32( mnDepth ).ReadUInt32( mnImageDatSize ).ReadUInt32( mnType ).ReadUInt32( mnColorMapType ).ReadUInt32( mnColorMapSize ); + m_rRAS.ReadInt32(mnWidth).ReadInt32(mnHeight).ReadInt32(mnDepth).ReadInt32(mnImageDatSize).ReadInt32(mnType).ReadInt32(mnColorMapType).ReadInt32(mnColorMapSize); -if ( mnWidth == 0 || mnHeight == 0 ) +if ( mnWidth = 0 || mnHeight = 0 || mnImageDatSize = 0 ) mbStatus = false; switch ( mnDepth ) @@ -216,7 +216,7 @@ bool RASReader::ImplReadHeader() bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) { -sal_uLong x, y; +sal_Int32 x, y; sal_uInt8 nDat = 0; sal_uInt8nRed, nGreen, nBlue; switch ( mnDstBitsPerPix ) ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits