[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/psd/pass/hang-1.psd |binary
 filter/source/graphicfilter/ipsd/ipsd.cxx  |   19 ++-
 2 files changed, 10 insertions(+), 9 deletions(-)

New commits:
commit c9e824687521ef2c3a90ba969627178b372d885c
Author: Caolán McNamara 
Date:   Thu Sep 10 09:24:13 2015 +0100

fix size check related hang

Change-Id: I3e8aa5c48ba802cd363688502b44e27bfdf67f01
(cherry picked from commit b02f1c58e7bb8b6c9381107431557d3f39794fe0)
Reviewed-on: https://gerrit.libreoffice.org/18464
Tested-by: Jenkins 
Reviewed-by: David Tardon 
Tested-by: David Tardon 

diff --git a/filter/qa/cppunit/data/psd/pass/hang-1.psd 
b/filter/qa/cppunit/data/psd/pass/hang-1.psd
new file mode 100644
index 000..8f557dd
Binary files /dev/null and b/filter/qa/cppunit/data/psd/pass/hang-1.psd differ
diff --git a/filter/source/graphicfilter/ipsd/ipsd.cxx 
b/filter/source/graphicfilter/ipsd/ipsd.cxx
index 7fbd5ab..a5bea9f 100644
--- a/filter/source/graphicfilter/ipsd/ipsd.cxx
+++ b/filter/source/graphicfilter/ipsd/ipsd.cxx
@@ -172,9 +172,6 @@ bool PSDReader::ReadPSD(Graphic & rGraphic )
 
 bool PSDReader::ImplReadHeader()
 {
-sal_uInt16  nCompression;
-sal_uInt32  nColorLength, nResourceLength, nLayerMaskLength;
-
 mpFileHeader = new PSDFileHeader;
 
 m_rPSD.ReadUInt32( mpFileHeader->nSignature ).ReadUInt16( 
mpFileHeader->nVersion ).ReadUInt32( mpFileHeader->nPad1 ).ReadUInt16( 
mpFileHeader->nPad2 ).ReadUInt16( mpFileHeader->nChannels ).ReadUInt32( 
mpFileHeader->nRows ).ReadUInt32( mpFileHeader->nColumns 
).ReadUInt16( mpFileHeader->nDepth ).ReadUInt16( mpFileHeader->nMode );
@@ -194,6 +191,7 @@ bool PSDReader::ImplReadHeader()
 
 mnDestBitDepth = ( nDepth == 16 ) ? 8 : nDepth;
 
+sal_uInt32 nColorLength(0);
 m_rPSD.ReadUInt32( nColorLength );
 if ( mpFileHeader->nMode == PSD_CMYK )
 {
@@ -270,7 +268,10 @@ bool PSDReader::ImplReadHeader()
 default:
 return false;
 }
-m_rPSD.ReadUInt32( nResourceLength );
+sal_uInt32 nResourceLength(0);
+m_rPSD.ReadUInt32(nResourceLength);
+if (nResourceLength > m_rPSD.remainingSize())
+return false;
 sal_uInt32 nLayerPos = m_rPSD.Tell() + nResourceLength;
 
 // this is a loop over the resource entries to get the resolution info
@@ -291,8 +292,8 @@ bool PSDReader::ImplReadHeader()
 if ( nResEntryLen & 1 )
 nResEntryLen++; // the resource entries are padded
 sal_uInt32 nCurrentPos = m_rPSD.Tell();
-if ( ( nResEntryLen + nCurrentPos ) > nLayerPos )   // check if size
-break;  // is possible
+if (nResEntryLen > (nLayerPos - nCurrentPos))   // check if size
+break;  // is possible
 switch( nUniqueID )
 {
 case 0x3ed :// UID for the resolution info
@@ -307,10 +308,12 @@ bool PSDReader::ImplReadHeader()
 m_rPSD.Seek( nCurrentPos + nResEntryLen );  // set the stream 
to the next
 }   // resource entry
 m_rPSD.Seek( nLayerPos );
+sal_uInt32 nLayerMaskLength(0);
 m_rPSD.ReadUInt32( nLayerMaskLength );
 m_rPSD.SeekRel( nLayerMaskLength );
 
-m_rPSD.ReadUInt16( nCompression );
+sal_uInt16 nCompression(0);
+m_rPSD.ReadUInt16(nCompression);
 if ( nCompression == 0 )
 {
 mbCompression = false;
@@ -326,8 +329,6 @@ bool PSDReader::ImplReadHeader()
 return true;
 }
 
-
-
 bool PSDReader::ImplReadBody()
 {
 sal_uLong   nX, nY;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/ras/fail/hang-1.ras |binary
 filter/source/graphicfilter/iras/iras.cxx  |   47 +++--
 2 files changed, 32 insertions(+), 15 deletions(-)

New commits:
commit 07e60c9fe65002f698524a838150c457daef2d77
Author: Caolán McNamara 
Date:   Fri Sep 11 15:38:01 2015 +0100

check stream status more often

Change-Id: I233c2fff9c06a81117f8114ccee83b53ea4026db
(cherry picked from commit b43e03353aeb04ed74a272d98df03dd7c20f3478)
Reviewed-on: https://gerrit.libreoffice.org/18505
Tested-by: Jenkins 
Reviewed-by: David Tardon 

diff --git a/filter/qa/cppunit/data/ras/fail/hang-1.ras 
b/filter/qa/cppunit/data/ras/fail/hang-1.ras
new file mode 100644
index 000..44dec67
Binary files /dev/null and b/filter/qa/cppunit/data/ras/fail/hang-1.ras differ
diff --git a/filter/source/graphicfilter/iras/iras.cxx 
b/filter/source/graphicfilter/iras/iras.cxx
index 5877fa2..e3209bd 100644
--- a/filter/source/graphicfilter/iras/iras.cxx
+++ b/filter/source/graphicfilter/iras/iras.cxx
@@ -222,31 +222,43 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 case 1 :
 for (y = 0; y < mnHeight && mbStatus; ++y)
 {
-for ( x = 0; x < mnWidth; x++ )
+for (x = 0; x < mnWidth && mbStatus; ++x)
 {
 if (!(x & 7))
+{
 nDat = ImplGetByte();
+if (!m_rRAS.good())
+mbStatus = false;
+}
 pAcc->SetPixelIndex( y, x,
 sal::static_int_cast< sal_uInt8 >(
 nDat >> ( ( x & 7 ) ^ 7 )) );
 }
-if (!( ( x - 1 ) & 0x8 ) ) ImplGetByte();   // WORD 
ALIGNMENT ???
-if (!m_rRAS.good())
-mbStatus = false;
+if (!( ( x - 1 ) & 0x8 ) )
+{
+ImplGetByte();   // WORD ALIGNMENT ???
+if (!m_rRAS.good())
+mbStatus = false;
+}
 }
 break;
 
 case 8 :
 for (y = 0; y < mnHeight && mbStatus; ++y)
 {
-for ( x = 0; x < mnWidth; x++ )
+for (x = 0; x < mnWidth && mbStatus; ++x)
 {
 nDat = ImplGetByte();
 pAcc->SetPixelIndex( y, x, nDat );
+if (!m_rRAS.good())
+mbStatus = false;
+}
+if ( x & 1 )
+{
+ImplGetByte(); // WORD ALIGNMENT ???
+if (!m_rRAS.good())
+mbStatus = false;
 }
-if ( x & 1 ) ImplGetByte(); // WORD 
ALIGNMENT ???
-if (!m_rRAS.good())
-mbStatus = false;
 }
 break;
 
@@ -257,7 +269,7 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 case 24 :
 for (y = 0; y < mnHeight && mbStatus; ++y)
 {
-for ( x = 0; x < mnWidth; x++ )
+for (x = 0; x < mnWidth && mbStatus; ++x)
 {
 if ( mnType == RAS_TYPE_RGB_FORMAT )
 {
@@ -272,17 +284,22 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 nRed = ImplGetByte();
 }
 pAcc->SetPixel ( y, x, BitmapColor( nRed, nGreen, 
nBlue ) );
+if (!m_rRAS.good())
+mbStatus = false;
+}
+if ( x & 1 )
+{
+ImplGetByte(); // WORD 
ALIGNMENT ???
+if (!m_rRAS.good())
+mbStatus = false;
 }
-if ( x & 1 ) ImplGetByte(); // 
WORD ALIGNMENT ???
-if (!m_rRAS.good())
-mbStatus = false;
 }
 break;
 
 case 32 :
 for (y = 0; y < mnHeight && mbStatus; ++y)
 {
-for ( x = 0; x < mnWidth; x++ )
+for (x = 0; x < mnWidth && mbStatus; ++x)
 {
 nDat = ImplGetByte();   // pad byte > 
nil
 if ( mnType == RAS_TYPE_RGB_FORMAT )
@@ -298,9 +315,9 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 nRed = ImplGetByte();
 }

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/met/fail/hang-2.met  |binary
 filter/source/graphicfilter/ios2met/ios2met.cxx |   25 ++--
 2 files changed, 19 insertions(+), 6 deletions(-)

New commits:
commit 8e430e2f2acf573d7d23fe65bfd5e70a04706608
Author: Caolán McNamara 
Date:   Mon Aug 31 11:11:27 2015 +0100

check for legal field sizes before reading

Change-Id: I3cdb647e1a057be5bb4b32d119ee5bcbbedf7473
(cherry picked from commit ad6d83defb33c414885ce6d4bfa85571d463f3c3)
Reviewed-on: https://gerrit.libreoffice.org/18169
Reviewed-by: Miklos Vajna 
Tested-by: Miklos Vajna 

diff --git a/filter/qa/cppunit/data/met/fail/hang-2.met 
b/filter/qa/cppunit/data/met/fail/hang-2.met
new file mode 100644
index 000..e807d58
Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/hang-2.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx 
b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 2ff00f6..c153262 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -2660,21 +2660,34 @@ void OS2METReader::ReadOS2MET( SvStream & 
rStreamOS2MET, GDIMetaFile & rGDIMetaF
 pOS2MET->ReadUInt16(nFieldType);
 
 pOS2MET->SeekRel(3);
-nPos+=8; nFieldSize-=8;
 
-if (pOS2MET->GetError()) break;
-if (pOS2MET->IsEof()) {
+if (pOS2MET->GetError())
+break;
+
+if (nFieldType==EndDocumnMagic)
+break;
+
+if (pOS2MET->IsEof() || nFieldSize < 8)
+{
 pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
 ErrorCode=8;
 break;
 }
 
-if (nFieldType==EndDocumnMagic) break;
+nPos+=8; nFieldSize-=8;
+
+if (nFieldSize > pOS2MET->remainingSize())
+{
+pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+ErrorCode=8;
+break;
+}
 
 ReadField(nFieldType, nFieldSize);
+nPos += nFieldSize;
 
-nPos+=(sal_uLong)nFieldSize;
-if (pOS2MET->Tell()>nPos)  {
+if (pOS2MET->Tell() > nPos)
+{
 pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
 ErrorCode=9;
 break;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/pict/fail/hang-1.pct |binary
 filter/source/graphicfilter/ipict/ipict.cxx |   10 ++
 2 files changed, 6 insertions(+), 4 deletions(-)

New commits:
commit 508125f9e77c0ef2c5a49a1a4cd08d60ad63492c
Author: Caolán McNamara 
Date:   Mon Aug 31 09:55:37 2015 +0100

check stream status

Change-Id: I65ed5979d35d8739367294a71620782b832cfd71
(cherry picked from commit a8fe085f973b4ccf846fe231af0fa25eda59911e)
Reviewed-on: https://gerrit.libreoffice.org/18160
Tested-by: Jenkins 
Reviewed-by: Miklos Vajna 

diff --git a/filter/qa/cppunit/data/pict/fail/hang-1.pct 
b/filter/qa/cppunit/data/pict/fail/hang-1.pct
new file mode 100644
index 000..735ce0a
Binary files /dev/null and b/filter/qa/cppunit/data/pict/fail/hang-1.pct differ
diff --git a/filter/source/graphicfilter/ipict/ipict.cxx 
b/filter/source/graphicfilter/ipict/ipict.cxx
index 53f4c3a..0ceb4dd 100644
--- a/filter/source/graphicfilter/ipict/ipict.cxx
+++ b/filter/source/graphicfilter/ipict/ipict.cxx
@@ -824,8 +824,7 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap , bool 
bBaseAddr, bool bColo
 // read and write Bitmap bits:
 if ( nPixelSize == 1 || nPixelSize == 2 || nPixelSize == 4 || nPixelSize 
== 8 )
 {
-sal_uInt8   nByteCountAsByte, nFlagCounterByte;
-sal_uInt16  nByteCount, nSrcBPL, nDestBPL;
+sal_uInt16  nSrcBPL, nDestBPL;
 size_t nCount;
 
 if  ( nPixelSize == 1 ) nSrcBPL = ( nWidth + 7 ) >> 3;
@@ -851,6 +850,7 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap , bool 
bBaseAddr, bool bColo
 }
 else
 {
+sal_uInt16 nByteCount(0);
 if ( nRowBytes > 250 )
 {
 pPict->ReadUInt16( nByteCount );
@@ -858,14 +858,16 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap , 
bool bBaseAddr, bool bColo
 }
 else
 {
+sal_uInt8 nByteCountAsByte(0);
 pPict->ReadUChar( nByteCountAsByte );
 nByteCount = ( (sal_uInt16)nByteCountAsByte ) & 0x00ff;
 nDataSize += 1 + (sal_uLong)nByteCount;
 }
 
-while ( nByteCount )
+while (pPict->good() && nByteCount)
 {
-pPict->ReadUChar( nFlagCounterByte );
+sal_uInt8 nFlagCounterByte(0);
+pPict->ReadUChar(nFlagCounterByte);
 if ( ( nFlagCounterByte & 0x80 ) == 0 )
 {
 nCount = ( (sal_uInt16)nFlagCounterByte ) + 1;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/hang-10.tiff  |binary
 filter/source/graphicfilter/itiff/lzwdecom.cxx |   12 
 2 files changed, 12 insertions(+)

New commits:
commit aed68b0c79b4edac79d18a7c273ab1bf21665614
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Aug 24 15:31:41 2015 +0100

detect and reject loop in tif

Change-Id: I77d315fa432a3eb1a65539489a2ba6da8508b283
(cherry picked from commit 6b82437dca30eba0f0c9dde6fdc84cb8f7740f8f)
Reviewed-on: https://gerrit.libreoffice.org/17957
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-10.tiff 
b/filter/qa/cppunit/data/tiff/fail/hang-10.tiff
new file mode 100644
index 000..e5e9ebc
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-10.tiff 
differ
diff --git a/filter/source/graphicfilter/itiff/lzwdecom.cxx 
b/filter/source/graphicfilter/itiff/lzwdecom.cxx
index 82f6acc..5fb7514 100644
--- a/filter/source/graphicfilter/itiff/lzwdecom.cxx
+++ b/filter/source/graphicfilter/itiff/lzwdecom.cxx
@@ -19,6 +19,8 @@
 
 
 #include lzwdecom.hxx
+#include algorithm
+#include vector
 
 #define MAX_TABLE_SIZE 4096
 
@@ -161,8 +163,18 @@ void LZWDecompressor::AddToTable(sal_uInt16 nPrevCode, 
sal_uInt16 nCodeFirstData
 return;
 }
 
+std::vectorsal_uInt16 aSeenIndexes;
 while (pTable[nCodeFirstData].nDataCount1)
+{
+if (std::find(aSeenIndexes.begin(), aSeenIndexes.end(), 
nCodeFirstData) != aSeenIndexes.end())
+{
+SAL_WARN(filter.tiff, Loop in chain);
+bEOIFound = true;
+return;
+}
+aSeenIndexes.push_back(nCodeFirstData);
 nCodeFirstData=pTable[nCodeFirstData].nPrevCode;
+}
 
 pTable[nTableSize].nPrevCode=nPrevCode;
 pTable[nTableSize].nDataCount=pTable[nPrevCode].nDataCount+1;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/pbm/fail/crash-1.pbm |6 ++
 filter/source/graphicfilter/ipbm/ipbm.cxx   |   11 ++-
 2 files changed, 12 insertions(+), 5 deletions(-)

New commits:
commit 25418bf4997e3f1b31e0da87ee0947ad9c8da2ce
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Aug 24 20:43:37 2015 +0100

in reality we are limited to max sal_Int32 here

so accept that and test if the values were accepted or limited

Change-Id: Iaed5ebc2f12b52055506147c71117a2ad88d28ac
(cherry picked from commit 0a76c1fd6875bd094ebe2bfbed3d01c98dc0c19e)
Reviewed-on: https://gerrit.libreoffice.org/17972
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/pbm/fail/crash-1.pbm 
b/filter/qa/cppunit/data/pbm/fail/crash-1.pbm
new file mode 100644
index 000..9ddcddf
--- /dev/null
+++ b/filter/qa/cppunit/data/pbm/fail/crash-1.pbm
@@ -0,0 +1,6 @@
+P3
+3000 1
+255
+103  79  59
+ 95  7P  55
+ 87  67  51
diff --git a/filter/source/graphicfilter/ipbm/ipbm.cxx 
b/filter/source/graphicfilter/ipbm/ipbm.cxx
index e545334..18b3249 100644
--- a/filter/source/graphicfilter/ipbm/ipbm.cxx
+++ b/filter/source/graphicfilter/ipbm/ipbm.cxx
@@ -37,7 +37,7 @@ private:
 sal_uLong   mnMode; // 0-PBM, 1-PGM, 2-PPM
 Bitmap  maBmp;
 BitmapWriteAccess*  mpAcc;
-sal_uLong   mnWidth, mnHeight;  // dimensions in pixel
+sal_Int32   mnWidth, mnHeight;  // dimensions in pixel
 sal_uLong   mnCol;
 sal_uLong   mnMaxVal;   // max value in the missing 
comment
 boolImplReadBody();
@@ -83,7 +83,7 @@ bool PBMReader::ReadPBM(Graphic  rGraphic )
 if ( !( mbStatus = ImplReadHeader() ) )
 return false;
 
-if ( ( mnMaxVal == 0 ) || ( mnWidth == 0 ) || ( mnHeight == 0 ) )
+if ( ( mnMaxVal == 0 ) || ( mnWidth = 0 ) || ( mnHeight = 0 ) )
 return false;
 
 // 0-PBM, 1-PGM, 2-PPM
@@ -91,7 +91,8 @@ bool PBMReader::ReadPBM(Graphic  rGraphic )
 {
 case 0 :
 maBmp = Bitmap( Size( mnWidth, mnHeight ), 1 );
-if ( ( mpAcc = maBmp.AcquireWriteAccess() ) == 0 )
+mpAcc = maBmp.AcquireWriteAccess();
+if (!mpAcc || mpAcc-Width() != mnWidth || mpAcc-Height() != 
mnHeight)
 return false;
 mpAcc-SetPaletteEntryCount( 2 );
 mpAcc-SetPaletteColor( 0, BitmapColor( 0xff, 0xff, 0xff ) );
@@ -242,8 +243,8 @@ bool PBMReader::ImplReadBody()
 boolbPara, bFinished = false;
 sal_uInt8   nDat = 0, nCount;
 sal_uLong   nGrey, nRGB[3];
-sal_uLong   nWidth = 0;
-sal_uLong   nHeight = 0;
+sal_Int32 nWidth = 0;
+sal_Int32 nHeight = 0;
 
 if ( mbRaw )
 {
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/crash-7.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx   |2 ++
 2 files changed, 2 insertions(+)

New commits:
commit 64bb6065a3ae74550a513426308f00b05365086b
Author: Caolán McNamara caol...@redhat.com
Date:   Tue Jul 21 10:10:50 2015 +0100

reject invalid tiff dimensions

Change-Id: I64e77f12cb016a7f4a9d21c732aaeaae7959da76
(cherry picked from commit 34d062147c16090fa42c27ac7960e3f5e3b65d2b)
Reviewed-on: https://gerrit.libreoffice.org/17257
Reviewed-by: Adolfo Jayme Barrientos fit...@ubuntu.com
Tested-by: Adolfo Jayme Barrientos fit...@ubuntu.com

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-7.tiff 
b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff
new file mode 100644
index 000..0056f9d
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-7.tiff 
differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 180b1c3..c730e81 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1330,6 +1330,8 @@ bool TIFFReader::ReadTIFF(SvStream  rTIFF, Graphic  
rGraphic )
 }
 if ( !nBitsPerSample || ( nBitsPerSample  32 ) )
 bStatus = false;
+if (nImageWidth  0 || nImageLength  0)
+bStatus = false;
 if ( bStatus )
 {
 if ( nMaxSampleValue == 0 )
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/crash-1.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx   |   54 +-
 2 files changed, 27 insertions(+), 27 deletions(-)

New commits:
commit b52ba57efaa7f54391abec08b601e749963c711e
Author: Caolán McNamara caol...@redhat.com
Date:   Sun Jul 19 21:09:25 2015 +0100

in reality we are limited to max sal_Int32 here

so accept that and test if the values were accepted or limited

Change-Id: I599cf8065a6f8786d380fdba03135857766770f3
(cherry picked from commit 80c591ea9c320fee9e975ac7b0e4e2df1bf5e447)
Reviewed-on: https://gerrit.libreoffice.org/17197
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-1.tiff 
b/filter/qa/cppunit/data/tiff/fail/crash-1.tiff
new file mode 100644
index 000..4fa0bb9
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-1.tiff 
differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 4599af9..b18db6b 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -65,8 +65,8 @@ private:
 
 sal_uLong   nNewSubFile;
 sal_uLong   nSubFile;
-sal_uLong   nImageWidth;// picture width in 
pixels
-sal_uLong   nImageLength;   // picture height in 
pixels
+sal_Int32   nImageWidth;// picture width in 
pixels
+sal_Int32   nImageLength;   // picture height in 
pixels
 sal_uLong   nBitsPerSample; // bits per pixel per 
layer
 sal_uLong   nCompression;   // kind of compression
 sal_uLong   nPhotometricInterpretation;
@@ -116,7 +116,7 @@ private:
 // Create the bitmap from the temporary bitmap pMap
 // and partly deletes pMap while doing this.
 
-boolConvertScanline( sal_uLong nY );
+boolConvertScanline(sal_Int32 nY);
 // converts a Scanline to the Windows-BMP format
 
 bool HasAlphaChannel() const;
@@ -537,13 +537,13 @@ bool TIFFReader::ReadMap()
 {
 if ( nCompression == 1 || nCompression == 32771 )
 {
-sal_uLong ny, np, nStrip, nStripBytesPerRow;
+sal_uLong np, nStrip, nStripBytesPerRow;
 
 if ( nCompression == 1 )
 nStripBytesPerRow = nBytesPerRow;
 else
 nStripBytesPerRow = ( nBytesPerRow + 1 )  0xfffe;
-for ( ny = 0; ny  nImageLength; ny++ )
+for (sal_Int32 ny = 0; ny  nImageLength; ++ny)
 {
 for ( np = 0; np  nPlanes; np++ )
 {
@@ -561,7 +561,7 @@ bool TIFFReader::ReadMap()
 }
 else if ( nCompression == 2 || nCompression == 3 || nCompression == 4 )
 {
-sal_uLong ny, np, nStrip, nOptions;
+sal_uLong np, nStrip, nOptions;
 if ( nCompression == 2 )
 {
 nOptions = CCI_OPTION_BYTEALIGNROW;
@@ -596,7 +596,7 @@ bool TIFFReader::ReadMap()
 
 aCCIDecom.StartDecompression( *pTIFF );
 
-for ( ny = 0; ny  nImageLength; ny++ )
+for (sal_Int32 ny = 0; ny  nImageLength; ++ny)
 {
 for ( np = 0; np  nPlanes; np++ )
 {
@@ -622,13 +622,13 @@ bool TIFFReader::ReadMap()
 else if ( nCompression == 5 )
 {
 LZWDecompressor aLZWDecom;
-sal_uLong ny, np, nStrip;
+sal_uLong np, nStrip;
 nStrip=0;
 if ( nStrip = nNumStripOffsets )
 return false;
 pTIFF-Seek(pStripOffsets[nStrip]);
 aLZWDecom.StartDecompression(*pTIFF);
-for ( ny = 0; ny  nImageLength; ny++ )
+for (sal_Int32 ny = 0; ny  nImageLength; ++ny)
 {
 for ( np = 0; np  nPlanes; np++ )
 {
@@ -651,13 +651,13 @@ bool TIFFReader::ReadMap()
 }
 else if ( nCompression == 32773 )
 {
-sal_uLong nStrip,nRecCount,nRowBytesLeft,ny,np,i;
+sal_uLong nStrip,nRecCount,nRowBytesLeft,np,i;
 sal_uInt8 * pdst;
 nStrip = 0;
 if ( nStrip = nNumStripOffsets )
 return false;
 pTIFF-Seek(pStripOffsets[nStrip]);
-for ( ny = 0; ny  nImageLength; ny++ )
+for (sal_Int32 ny = 0; ny  nImageLength; ++ny)
 {
 for ( np = 0; np  nPlanes; np++ )
 {
@@ -771,9 +771,9 @@ sal_uLong TIFFReader::GetBits( const sal_uInt8 * pSrc, 
sal_uLong nBitsPos, sal_u
 
 
 
-bool TIFFReader::ConvertScanline( sal_uLong nY )
+bool TIFFReader::ConvertScanline(sal_Int32 nY)
 {
-sal_uInt32  nRed, nGreen, nBlue, ns, nx, nVal, nByteCount;
+sal_uInt32  nRed, nGreen, nBlue, ns, nVal, nByteCount;
 sal_uInt8   nByteVal;
 
 if ( nDstBitsPerPixel == 24 )
@@ -790,7 +790,7 @@ bool TIFFReader::ConvertScanline( sal_uLong nY )
 sal_uInt8  nLGreen = 0;
   

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/crash-2.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx   |2 ++
 2 files changed, 2 insertions(+)

New commits:
commit fc3ba0cdd424e1ae2852ad9809b49a5e6e55b2f5
Author: Caolán McNamara caol...@redhat.com
Date:   Sun Jul 19 21:25:46 2015 +0100

check np bounds

Change-Id: Id16ae9325f3c67792941b9c88d83435aa98282ca
(cherry picked from commit be4e1141be7cd54cf5362d3de534050db5505437)
Reviewed-on: https://gerrit.libreoffice.org/17199
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-2.tiff 
b/filter/qa/cppunit/data/tiff/fail/crash-2.tiff
new file mode 100644
index 000..aadd99f
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-2.tiff 
differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 834c437..4599af9 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -608,6 +608,8 @@ bool TIFFReader::ReadMap()
 pTIFF-Seek( pStripOffsets[ nStrip ] );
 aCCIDecom.StartDecompression( *pTIFF );
 }
+if (np = SAL_N_ELEMENTS(pMap))
+return false;
 if ( !aCCIDecom.DecompressScanline( pMap[ np ], nImageWidth * 
nBitsPerSample * nSamplesPerPixel / nPlanes, np + 1 == nPlanes ) )
 return false;
 if ( pTIFF-GetError() )
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/crash-3.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx   |2 ++
 2 files changed, 2 insertions(+)

New commits:
commit e9be8b2425eb8e013e43ef7e730a05df5e4efae9
Author: Caolán McNamara caol...@redhat.com
Date:   Sun Jul 19 21:32:05 2015 +0100

check np bounds again

Change-Id: I0fb61954b2eaf0c015d7bdefe9f03bd459b31501
(cherry picked from commit fcdddbd30a8b5cf6a5cc4d2ff28b7d4a20f8ec6b)
Reviewed-on: https://gerrit.libreoffice.org/17201
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-3.tiff 
b/filter/qa/cppunit/data/tiff/fail/crash-3.tiff
new file mode 100644
index 000..4aa2393
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-3.tiff 
differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index aed15f6..834c437 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -638,6 +638,8 @@ bool TIFFReader::ReadMap()
 pTIFF-Seek(pStripOffsets[nStrip]);
 aLZWDecom.StartDecompression(*pTIFF);
 }
+if (np = SAL_N_ELEMENTS(pMap))
+return false;
 if ( ( aLZWDecom.Decompress( pMap[ np ], nBytesPerRow ) != 
nBytesPerRow ) || pTIFF-GetError() )
 return false;
 }
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/crash-4.tiff  |binary
 filter/source/graphicfilter/itiff/ccidecom.cxx |9 ++---
 2 files changed, 2 insertions(+), 7 deletions(-)

New commits:
commit 1aac166075ef5a3183474449ae7d0fa3f7cf82b6
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Jul 20 08:35:26 2015 +0100

reduce scope, etc, don't loop endlessly

Change-Id: I86e4e94392527b5faf5d9cdb4251853f35813f4e
(cherry picked from commit 5d32a4ac5c166264c2d44e8df625eb768eb42fbe)
Reviewed-on: https://gerrit.libreoffice.org/17204
Tested-by: Jenkins c...@libreoffice.org
Reviewed-by: Michael Meeks michael.me...@collabora.com
Tested-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-4.tiff 
b/filter/qa/cppunit/data/tiff/fail/crash-4.tiff
new file mode 100644
index 000..ef0fe27
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-4.tiff 
differ
diff --git a/filter/source/graphicfilter/itiff/ccidecom.cxx 
b/filter/source/graphicfilter/itiff/ccidecom.cxx
index f7eed81..2477542 100644
--- a/filter/source/graphicfilter/itiff/ccidecom.cxx
+++ b/filter/source/graphicfilter/itiff/ccidecom.cxx
@@ -628,8 +628,6 @@ void CCIDecompressor::StartDecompression( SvStream  
rIStream )
 
 bool CCIDecompressor::DecompressScanline( sal_uInt8 * pTarget, sal_uLong 
nTargetBits, bool bLastLine )
 {
-sal_uInt16 i;
-sal_uInt8 * pDst;
 bool b2D;
 
 if ( nEOLCount = 5 )   // RTC (Return To Controller)
@@ -678,8 +676,7 @@ bool CCIDecompressor::DecompressScanline( sal_uInt8 * 
pTarget, sal_uLong nTarget
 delete[] pLastLine;
 nLastLineSize = ( nTargetBits + 7 )  3;
 pLastLine = new sal_uInt8[ nLastLineSize ];
-pDst = pLastLine;
-for ( i = 0; i  nLastLineSize; i++ ) *( pDst++ ) = 0x00;
+memset(pLastLine, 0, nLastLineSize);
 }
 }
 // conditionally align start of line to next byte:
@@ -706,9 +703,7 @@ bool CCIDecompressor::DecompressScanline( sal_uInt8 * 
pTarget, sal_uLong nTarget
 // if we're in 2D mode we have to remember the line:
 if ( nOptions  CCI_OPTION_2D  bStatus )
 {
-sal_uInt8 *pSrc = pTarget;
-pDst = pLastLine;
-for ( i = 0; i  nLastLineSize; i++ ) *(pDst++)=*(pSrc++);
+memcpy(pLastLine, pTarget, nLastLineSize);
 }
 
 // #i122984#
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/crash-6.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx   |2 ++
 2 files changed, 2 insertions(+)

New commits:
commit 4b96ee2d118c7d59408f361390158b7c8375cbf8
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Jul 20 09:24:48 2015 +0100

final check np bounds

Change-Id: I9213bb2cc059e05e286598edac03bd72c84db876
(cherry picked from commit dcbbe7741a08f6076f9e020f90cbb730c1edafb9)
Reviewed-on: https://gerrit.libreoffice.org/17212
Reviewed-by: Michael Meeks michael.me...@collabora.com
Tested-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-6.tiff 
b/filter/qa/cppunit/data/tiff/fail/crash-6.tiff
new file mode 100644
index 000..907b510
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-6.tiff 
differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 7a5d487..4fa050d 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -551,6 +551,8 @@ bool TIFFReader::ReadMap()
 if ( nStrip = nNumStripOffsets )
 return false;
 pTIFF-Seek( pStripOffsets[ nStrip ] + ( ny % 
GetRowsPerStrip() ) * nStripBytesPerRow );
+if (np = SAL_N_ELEMENTS(pMap))
+return false;
 pTIFF-Read( pMap[ np ], nBytesPerRow );
 if ( pTIFF-GetError() )
 return false;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/crash-5.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx   |2 ++
 2 files changed, 2 insertions(+)

New commits:
commit 429f6b5183fa39751d949431e16bd6f4163bf78c
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Jul 20 08:50:27 2015 +0100

check np bounds yet again

Change-Id: Id3f6fdc0ebed9711acec5d71f404e7a6072b765c
(cherry picked from commit bca4d6f896fb12ceff37476c43ea8892898dd385)
Reviewed-on: https://gerrit.libreoffice.org/17207
Reviewed-by: Michael Meeks michael.me...@collabora.com
Tested-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/tiff/fail/crash-5.tiff 
b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff
new file mode 100644
index 000..4849edf
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/crash-5.tiff 
differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index b18db6b..7a5d487 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -669,6 +669,8 @@ bool TIFFReader::ReadMap()
 pTIFF-Seek(pStripOffsets[nStrip]);
 }
 nRowBytesLeft = nBytesPerRow;
+if (np = SAL_N_ELEMENTS(pMap))
+return false;
 pdst=pMap[ np ];
 do
 {
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/hang-5.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx  |7 +--
 2 files changed, 5 insertions(+), 2 deletions(-)

New commits:
commit 17b1467a30895b08317f7be2079620a4d057b4b4
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Jul 20 09:20:33 2015 +0100

test that nNumStripByteCounts value is within bounds of file

Change-Id: If119628d7f510a7db30ed2180111063781cde887
(cherry picked from commit 33d43205c341e0cce36b6a1b3082c3927490cbde)
Reviewed-on: https://gerrit.libreoffice.org/17210
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-5.tiff 
b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff
new file mode 100644
index 000..f1be3fa
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-5.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 4fa050d..f0c5d1e 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -422,14 +422,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, 
sal_uInt32 nDataLen)
 nNumStripByteCounts = 0; // to be on the safe side
 nOldNumSBC = nNumStripByteCounts;
 nDataLen += nOldNumSBC;
-if ( ( nDataLen  nOldNumSBC )  ( nDataLen  SAL_MAX_UINT32 / 
sizeof( sal_uInt32 ) ) )
+size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32);
+size_t nMaxRecordsAvailable = pTIFF-remainingSize() / 
DataTypeSize();
+if (nDataLen  nOldNumSBC  nDataLen  nMaxAllocAllowed 
+(nDataLen - nOldNumSBC) = nMaxRecordsAvailable)
 {
 nNumStripByteCounts = nDataLen;
 try
 {
 pStripByteCounts = new sal_uLong[ nNumStripByteCounts ];
 }
-catch (const std::bad_alloc )
+catch (const std::bad_alloc )
 {
 pStripByteCounts = NULL;
 nNumStripByteCounts = 0;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[osnola]

 filter/qa/cppunit/data/pict/pass/tdf92789.pct |binary
 filter/source/graphicfilter/ipict/ipict.cxx   |   62 ++
 2 files changed, 25 insertions(+), 37 deletions(-)

New commits:
commit cdb14f5b40ec3da72ccd2a0258745b899b5fee62
Author: osnola alo...@loria.fr
Date:   Mon Jul 20 08:49:59 2015 +0200

tdf92789 fix reading of some PICT images

(cherry picked from commit 5fa73031aa42b62ccd167f193376565df2e635fc)

Conflicts:
filter/source/graphicfilter/ipict/ipict.cxx

add a test image

(cherry picked from commit 3f0677b86f4831b011a2baece85cf93c68646cd5)

Change-Id: I6809ef52c462958eed2329fe2d32b5cbc691194c
Reviewed-on: https://gerrit.libreoffice.org/17203
Tested-by: Jenkins c...@libreoffice.org
Reviewed-by: Caolán McNamara caol...@redhat.com
Tested-by: Caolán McNamara caol...@redhat.com

diff --git a/filter/qa/cppunit/data/pict/pass/tdf92789.pct 
b/filter/qa/cppunit/data/pict/pass/tdf92789.pct
new file mode 100644
index 000..2d6f0d8
Binary files /dev/null and b/filter/qa/cppunit/data/pict/pass/tdf92789.pct 
differ
diff --git a/filter/source/graphicfilter/ipict/ipict.cxx 
b/filter/source/graphicfilter/ipict/ipict.cxx
index 4f0c39b..53f4c3a 100644
--- a/filter/source/graphicfilter/ipict/ipict.cxx
+++ b/filter/source/graphicfilter/ipict/ipict.cxx
@@ -879,7 +879,7 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap rBitmap, bool 
bBaseAddr, bool bColo
 }
 else
 {
-nCount = static_castsal_uInt16( 1 - ( ( 
(sal_uInt16)nFlagCounterByte ) | 0xff00 ) );
+nCount = static_castsal_uInt16( 1 - sal_Int16( ( 
(sal_uInt16)nFlagCounterByte ) | 0xff00 ) );
 pPict-ReadUChar( nDat );
 for ( i = 0; i  nCount; i++ )
 {
@@ -901,21 +901,10 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap rBitmap, 
bool bBaseAddr, bool bColo
 if (nWidth  nRowBytes / 2)
 BITMAPERROR;
 
-size_t nMinRecordSize;
-if ( nRowBytes  8 || nPackType == 1 )
-nMinRecordSize = sizeof(sal_uInt16);
-else if ( nRowBytes  250 )
-nMinRecordSize = sizeof(sal_uInt16);
-else
-nMinRecordSize = 1;
-
-const size_t nMinRowWidth = nWidth * nMinRecordSize;
-const size_t nMaxRows = pPict-remainingSize() / nMinRowWidth;
-if (nHeight  nMaxRows)
-BITMAPERROR;
-const size_t nMaxCols = pPict-remainingSize() / nHeight;
-if (nWidth  nMaxCols)
-BITMAPERROR;
+if ( nRowBytes  8 || nPackType == 1 ) {
+if (pPict-remainingSize()  sizeof(sal_uInt16) * nHeight * nWidth)
+BITMAPERROR;
+}
 
 for ( ny = 0; ny  nHeight; ny++ )
 {
@@ -952,10 +941,17 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap rBitmap, 
bool bBaseAddr, bool bColo
 if ( (nFlagCounterByte  0x80) == 0)
 {
 nCount=((sal_uInt16)nFlagCounterByte)+1;
-if ( nCount + nx  nWidth)  // SJ: the RLE 
decoding seems not to be correct here,
-nCount = nWidth - nx;   // I don't 
want to change this until I have a bugdoc for
-for (i=0; inCount; i++)// this case. 
Have a look at 32bit, there I changed the
-{   // encoding, 
so that it is used a straight forward array
+if ( nCount + nx  nWidth)
+nCount = nWidth - nx;
+if (pPict-remainingSize()  sizeof(sal_uInt16) * 
nCount)
+BITMAPERROR;
+/* SJ: the RLE decoding seems not to be correct here,
+   I don't want to change this until I have a bugdoc 
for
+   this case. Have a look at 32bit, there I changed the
+   encoding, so that it is used a straight forward 
array
+ */
+for (i=0; inCount; i++)
+{
 pPict-ReadUInt16( nD );
 nRed = (sal_uInt8)( nD  7 );
 nGreen = (sal_uInt8)( nD  2 );
@@ -965,7 +961,9 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap rBitmap, bool 
bBaseAddr, bool bColo
 }
 else
 {
-nCount=(1-(((sal_uInt16)nFlagCounterByte)|0xff00));
+if (pPict-remainingSize()  sizeof(sal_uInt16))
+BITMAPERROR;
+
nCount=(1-sal_Int16(((sal_uInt16)nFlagCounterByte)|0xff00));
 if ( nCount + nx  nWidth )
 nCount = nWidth - nx;
  

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/hang-6.tiff   |binary
 filter/source/graphicfilter/itiff/ccidecom.cxx |   39 ++---
 2 files changed, 22 insertions(+), 17 deletions(-)

New commits:
commit 60ec59d671058d8996cd0edf683078aae34d96af
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Jul 20 10:06:59 2015 +0100

ensure loop ends eventually

Change-Id: I318385286fcc27ffb2d938237d83e793564d2525
(cherry picked from commit c02e79874951ba86d926186e284612806d8bc0a3)
Reviewed-on: https://gerrit.libreoffice.org/17214
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-6.tiff 
b/filter/qa/cppunit/data/tiff/fail/hang-6.tiff
new file mode 100644
index 000..4e6cc0e
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-6.tiff differ
diff --git a/filter/source/graphicfilter/itiff/ccidecom.cxx 
b/filter/source/graphicfilter/itiff/ccidecom.cxx
index 2477542..c1447b16 100644
--- a/filter/source/graphicfilter/itiff/ccidecom.cxx
+++ b/filter/source/graphicfilter/itiff/ccidecom.cxx
@@ -886,36 +886,41 @@ void CCIDecompressor::FillBits(sal_uInt8 * pTarget, 
sal_uInt16 nTargetBits,
 }
 }
 
-
 sal_uInt16 CCIDecompressor::CountBits(const sal_uInt8 * pData, sal_uInt16 
nDataSizeBits,
   sal_uInt16 nBitPos, sal_uInt8 nBlackOrWhite)
 {
-sal_uInt16 nPos,nLo;
-sal_uInt8 nData;
-
 // here the number of bits belonging together is being counted
 // which all have the color nBlackOrWhite (0xff oder 0x00)
 // from the position nBitPos on
-
-nPos=nBitPos;
-for (;;) {
-if (nPos=nDataSizeBits) {
+sal_uInt16 nPos = nBitPos;
+for (;;)
+{
+if (nPos=nDataSizeBits)
+{
 nPos=nDataSizeBits;
 break;
 }
-nData=pData[nPos3];
-nLo=nPos  7;
-if ( nLo==0  nData==nBlackOrWhite) nPos+=8;
-else {
-if ( ((nData^nBlackOrWhite)  (0x80  nLo))!=0) break;
-nPos++;
+sal_uInt8 nData = pData[nPos3];
+sal_uInt16 nLo = nPos  7;
+if (nLo==0  nData==nBlackOrWhite)
+{
+//fail on overflow attempt
+if (nPos  SAL_MAX_UINT16-8)
+return 0;
+nPos+=8;
+}
+else
+{
+if ( ((nData^nBlackOrWhite)  (0x80  nLo))!=0)
+break;
+++nPos;
 }
 }
-if (nPos=nBitPos) return 0;
-else return nPos-nBitPos;
+if (nPos=nBitPos)
+return 0;
+return nPos-nBitPos;
 }
 
-
 void CCIDecompressor::Read1DScanlineData(sal_uInt8 * pTarget, sal_uInt16 
nTargetBits)
 {
 sal_uInt16 nCode,nCodeBits,nDataBits,nTgtFreeByteBits;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/hang-7.tiff   |binary
 filter/source/graphicfilter/itiff/ccidecom.cxx |5 -
 2 files changed, 4 insertions(+), 1 deletion(-)

New commits:
commit 4df53f3d14048492375b5b9bfe17cca4f9452c68
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Jul 20 11:20:45 2015 +0100

don't hang on a bad ReadCodeAndDecode

Change-Id: I999012d428fa84e21fe9e9f851a016eacc96a686
(cherry picked from commit 6964f67d0dd44c8a3c68caf194075ba5c649bf4b)
Reviewed-on: https://gerrit.libreoffice.org/17217
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-7.tiff 
b/filter/qa/cppunit/data/tiff/fail/hang-7.tiff
new file mode 100644
index 000..61a5f2d
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-7.tiff differ
diff --git a/filter/source/graphicfilter/itiff/ccidecom.cxx 
b/filter/source/graphicfilter/itiff/ccidecom.cxx
index c1447b16..5542cff 100644
--- a/filter/source/graphicfilter/itiff/ccidecom.cxx
+++ b/filter/source/graphicfilter/itiff/ccidecom.cxx
@@ -1026,11 +1026,14 @@ void CCIDecompressor::Read2DScanlineData(sal_uInt8 * 
pTarget, sal_uInt16 nTarget
 while (nBitPosnTargetBits  bStatus) {
 
 n2DMode=ReadCodeAndDecode(p2DModeLookUp,10);
-if (!bStatus) return;
+if (!bStatus)
+return;
 
 if (n2DMode==CCI2DMODE_UNCOMP) {
 for (;;) {
 nUncomp=ReadCodeAndDecode(pUncompLookUp,11);
+if (!bStatus)
+break;
 if ( nUncomp = CCIUNCOMP_4White_1Black ) {
 nRun=nUncomp-CCIUNCOMP_0White_1Black;
 FillBits(pTarget,nTargetBits,nBitPos,nRun,0x00);
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/hang-9.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx  |   29 +--
 2 files changed, 19 insertions(+), 10 deletions(-)

New commits:
commit 6c40a461a2092e0fbb96b77ebaec7b028a02fd1e
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Jul 20 12:28:03 2015 +0100

bail if offsets are past eof

Change-Id: I4a8e78231befff498894ec92a1f38af206e13129
(cherry picked from commit 97a0e7558b24792827d77217fb2d8b1106056963)
Reviewed-on: https://gerrit.libreoffice.org/17232
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-9.tiff 
b/filter/qa/cppunit/data/tiff/fail/hang-9.tiff
new file mode 100644
index 000..ef314ab
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-9.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 769c57e..180b1c3 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -57,6 +57,7 @@ private:
 BitmapWriteAccess*  pMaskAcc;
 
 sal_uLong   nOrigPos;   // start position in 
pTIFF
+sal_uLong   nEndOfFile; // end of file 
position in pTIFF
 
 
 sal_uInt16  nDataType;
@@ -131,6 +132,7 @@ public:
 , pAlphaMask(NULL)
 , pMaskAcc(NULL)
 , nOrigPos(0)
+, nEndOfFile(0)
 , nDataType(0)
 , bByteSwap(false)
 , nNewSubFile(0)
@@ -540,7 +542,7 @@ bool TIFFReader::ReadMap()
 {
 if ( nCompression == 1 || nCompression == 32771 )
 {
-sal_uLong np, nStrip, nStripBytesPerRow;
+sal_uLong nStrip, nStripBytesPerRow;
 
 if ( nCompression == 1 )
 nStripBytesPerRow = nBytesPerRow;
@@ -548,7 +550,7 @@ bool TIFFReader::ReadMap()
 nStripBytesPerRow = ( nBytesPerRow + 1 )  0xfffe;
 for (sal_Int32 ny = 0; ny  nImageLength; ++ny)
 {
-for ( np = 0; np  nPlanes; np++ )
+for (sal_uLong np = 0; np  nPlanes; ++np)
 {
 nStrip = ny / GetRowsPerStrip() + np * nStripsPerPlane;
 if ( nStrip = nNumStripOffsets )
@@ -557,7 +559,7 @@ bool TIFFReader::ReadMap()
 if (np = SAL_N_ELEMENTS(pMap))
 return false;
 pTIFF-Read( pMap[ np ], nBytesPerRow );
-if ( pTIFF-GetError() )
+if (!pTIFF-good())
 return false;
 }
 if ( !ConvertScanline( ny ) )
@@ -566,7 +568,7 @@ bool TIFFReader::ReadMap()
 }
 else if ( nCompression == 2 || nCompression == 3 || nCompression == 4 )
 {
-sal_uLong np, nStrip, nOptions;
+sal_uLong nStrip, nOptions;
 if ( nCompression == 2 )
 {
 nOptions = CCI_OPTION_BYTEALIGNROW;
@@ -595,6 +597,9 @@ bool TIFFReader::ReadMap()
 nStrip = 0;
 if ( nStrip = nNumStripOffsets )
 return false;
+sal_uLong nOffset = pStripOffsets[nStrip];
+if (nOffset  nEndOfFile)
+return false;
 pTIFF-Seek(pStripOffsets[nStrip]);
 
 CCIDecompressor aCCIDecom( nOptions, nImageWidth );
@@ -603,14 +608,17 @@ bool TIFFReader::ReadMap()
 
 for (sal_Int32 ny = 0; ny  nImageLength; ++ny)
 {
-for ( np = 0; np  nPlanes; np++ )
+for (sal_uLong np = 0; np  nPlanes; np++ )
 {
 if ( ny / GetRowsPerStrip() + np * nStripsPerPlane  nStrip )
 {
 nStrip=ny/GetRowsPerStrip()+np*nStripsPerPlane;
 if ( nStrip = nNumStripOffsets )
 return false;
-pTIFF-Seek( pStripOffsets[ nStrip ] );
+nOffset = pStripOffsets[nStrip];
+if (nOffset  nEndOfFile)
+return false;
+pTIFF-Seek(nOffset);
 aCCIDecom.StartDecompression( *pTIFF );
 }
 if (np = SAL_N_ELEMENTS(pMap))
@@ -627,7 +635,7 @@ bool TIFFReader::ReadMap()
 else if ( nCompression == 5 )
 {
 LZWDecompressor aLZWDecom;
-sal_uLong np, nStrip;
+sal_uLong nStrip;
 nStrip=0;
 if ( nStrip = nNumStripOffsets )
 return false;
@@ -635,7 +643,7 @@ bool TIFFReader::ReadMap()
 aLZWDecom.StartDecompression(*pTIFF);
 for (sal_Int32 ny = 0; ny  nImageLength; ++ny)
 {
-for ( np = 0; np  nPlanes; np++ )
+for (sal_uLong np = 0; np  nPlanes; ++np)
 {
 if ( ny / GetRowsPerStrip() + np * nStripsPerPlane  nStrip )
 {
@@ -656,7 +664,7 @@ bool TIFFReader::ReadMap()
 }
 else if ( nCompression == 32773 )
 {
-sal_uLong 

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/hang-8.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx  |6 --
 2 files changed, 4 insertions(+), 2 deletions(-)

New commits:
commit f8b78fb646dbea25fe1aff05e71b7c4cb2410552
Author: Caolán McNamara caol...@redhat.com
Date:   Mon Jul 20 11:40:34 2015 +0100

fail on short read

Change-Id: I7215cf8d8b1e4a4156c87507018de3c2b7ed08d8
(cherry picked from commit 8eaef6b5217eecaa111c80e426bdf225481a71fb)
Reviewed-on: https://gerrit.libreoffice.org/17219
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-8.tiff 
b/filter/qa/cppunit/data/tiff/fail/hang-8.tiff
new file mode 100644
index 000..c458597
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-8.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index f0c5d1e..769c57e 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -656,7 +656,7 @@ bool TIFFReader::ReadMap()
 }
 else if ( nCompression == 32773 )
 {
-sal_uLong nStrip,nRecCount,nRowBytesLeft,np,i;
+sal_uLong nStrip,nRecCount,np,i;
 sal_uInt8 * pdst;
 nStrip = 0;
 if ( nStrip = nNumStripOffsets )
@@ -673,7 +673,7 @@ bool TIFFReader::ReadMap()
 return false;
 pTIFF-Seek(pStripOffsets[nStrip]);
 }
-nRowBytesLeft = nBytesPerRow;
+sal_uLong nRowBytesLeft = nBytesPerRow;
 if (np = SAL_N_ELEMENTS(pMap))
 return false;
 pdst=pMap[ np ];
@@ -687,6 +687,8 @@ bool TIFFReader::ReadMap()
 if ( nRecCount  nRowBytesLeft )
 return false;
 pTIFF-Read(pdst,nRecCount);
+if (!pTIFF-good())
+return false;
 pdst+=nRecCount;
 nRowBytesLeft-=nRecCount;
 }
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/hang-2.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx  |   11 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

New commits:
commit 85d5385ed47009782abbeaa538611a6367b61bb4
Author: Caolán McNamara caol...@redhat.com
Date:   Fri Jul 17 09:59:23 2015 +0100

detect another loop in tif format

Change-Id: I950f751277d9080b4fc00c38f63453cce81bcc32
(cherry picked from commit 49bf2c6700d8f0fc9155ac2d06bf0a7bd84915d8)
Reviewed-on: https://gerrit.libreoffice.org/17154
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-2.tiff 
b/filter/qa/cppunit/data/tiff/fail/hang-2.tiff
new file mode 100644
index 000..28ec8c0
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-2.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 9ae2a06..80c859c 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1178,10 +1178,19 @@ bool TIFFReader::ReadTIFF(SvStream  rTIFF, Graphic  
rGraphic )
 {
 sal_uInt32 nOffset = nFirstIfd;
 
+std::vectorsal_uInt32 aSeenOffsets;
 // calculate length of TIFF file
 do
 {
-pTIFF-Seek( nOrigPos + nOffset );
+if (std::find(aSeenOffsets.begin(), aSeenOffsets.end(), nOffset) 
!= aSeenOffsets.end())
+{
+SAL_WARN(filter.tiff, Parsing error:   nOffset 
+  already processed, format loop);
+bStatus = false;
+break;
+}
+pTIFF-Seek(nOrigPos + nOffset);
+aSeenOffsets.push_back(nOffset);
 
 if( pTIFF-GetError() )
 {
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/hang-1.tiff |binary
 filter/source/graphicfilter/itiff/itiff.cxx  |7 +--
 2 files changed, 5 insertions(+), 2 deletions(-)

New commits:
commit 5681a8b41dd95fea324d4a9797fbe959e2022feb
Author: Caolán McNamara caol...@redhat.com
Date:   Fri Jul 17 09:45:26 2015 +0100

test that nNumStripOffsets value is within bounds of file

Change-Id: I1483ea3671420be5349692374641e10b344d
(cherry picked from commit feedb957310fc3282ca47d5ffc1482dbb944a36e)
Reviewed-on: https://gerrit.libreoffice.org/17151
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/hang-1.tiff 
b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff
new file mode 100644
index 000..9cd2aa2
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/hang-1.tiff differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 80c859c..aed15f6 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -373,14 +373,17 @@ void TIFFReader::ReadTagData( sal_uInt16 nTagType, 
sal_uInt32 nDataLen)
 nNumStripOffsets = 0;
 nOldNumSO = nNumStripOffsets;
 nDataLen += nOldNumSO;
-if ( ( nDataLen  nOldNumSO )  ( nDataLen  SAL_MAX_UINT32 / 
sizeof( sal_uInt32 ) ) )
+size_t nMaxAllocAllowed = SAL_MAX_UINT32 / sizeof(sal_uInt32);
+size_t nMaxRecordsAvailable = pTIFF-remainingSize() / 
DataTypeSize();
+if (nDataLen  nOldNumSO  nDataLen  nMaxAllocAllowed 
+(nDataLen - nOldNumSO) = nMaxRecordsAvailable)
 {
 nNumStripOffsets = nDataLen;
 try
 {
 pStripOffsets = new sal_uLong[ nNumStripOffsets ];
 }
-catch (const std::bad_alloc )
+catch (const std::bad_alloc )
 {
 pStripOffsets = NULL;
 nNumStripOffsets = 0;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/pcx/fail/hang-1.pcx |binary
 filter/source/graphicfilter/ipcx/ipcx.cxx  |4 ++--
 2 files changed, 2 insertions(+), 2 deletions(-)

New commits:
commit 26cd5af62fdeb650714f36c948784de1016591e4
Author: Caolán McNamara caol...@redhat.com
Date:   Fri Jul 17 10:11:34 2015 +0100

don't loop forever if pcx has short read

Change-Id: I638792417924bcb8e48995f4e789f84a2cbf4757
(cherry picked from commit c9ba7a2a4d29af2542f31562cfdd64db2237aea8)
Reviewed-on: https://gerrit.libreoffice.org/17157
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/pcx/fail/hang-1.pcx 
b/filter/qa/cppunit/data/pcx/fail/hang-1.pcx
new file mode 100644
index 000..73798ea
Binary files /dev/null and b/filter/qa/cppunit/data/pcx/fail/hang-1.pcx differ
diff --git a/filter/source/graphicfilter/ipcx/ipcx.cxx 
b/filter/source/graphicfilter/ipcx/ipcx.cxx
index 61b7fa6..8a5ddb3 100644
--- a/filter/source/graphicfilter/ipcx/ipcx.cxx
+++ b/filter/source/graphicfilter/ipcx/ipcx.cxx
@@ -224,7 +224,7 @@ void PCXReader::ImplReadBody(BitmapWriteAccess * pAcc)
 nCount = 0;
 for ( ny = 0; ny  nHeight; ny++ )
 {
-if (m_rPCX.GetError() || m_rPCX.IsEof())
+if (!m_rPCX.good())
 {
 nStatus = false;
 break;
@@ -248,7 +248,7 @@ void PCXReader::ImplReadBody(BitmapWriteAccess * pAcc)
 nx--;
 nCount--;
 }
-while ( nx  0 )
+while (nx  0  m_rPCX.good())
 {
 m_rPCX.ReadUChar( nDat );
 if ( ( nDat  0xc0 ) == 0xc0 )
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/pict/fail/exception-1.pct |binary
 filter/source/graphicfilter/ipict/ipict.cxx  |5 +
 2 files changed, 5 insertions(+)

New commits:
commit e5aae767d634ba7efc8a5ecf2889678176babeb8
Author: Caolán McNamara caol...@redhat.com
Date:   Thu Jul 16 10:01:24 2015 +0100

exception on div by 0

Change-Id: Id33d6a5e3df5812babd28ebfc65b95ce97219ad3
(cherry picked from commit cf4159e16c13a13d0bedccebb50bb08f1662bc1c)
Reviewed-on: https://gerrit.libreoffice.org/17121
Tested-by: Jenkins c...@libreoffice.org
Reviewed-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/pict/fail/exception-1.pct 
b/filter/qa/cppunit/data/pict/fail/exception-1.pct
new file mode 100644
index 000..f9cd85a
Binary files /dev/null and b/filter/qa/cppunit/data/pict/fail/exception-1.pct 
differ
diff --git a/filter/source/graphicfilter/ipict/ipict.cxx 
b/filter/source/graphicfilter/ipict/ipict.cxx
index 6621edd..4f0c39b 100644
--- a/filter/source/graphicfilter/ipict/ipict.cxx
+++ b/filter/source/graphicfilter/ipict/ipict.cxx
@@ -1859,6 +1859,7 @@ sal_uLong PictReader::ReadData(sal_uInt16 nOpcode)
 
 void PictReader::ReadPict( SvStream  rStreamPict, GDIMetaFile  rGDIMetaFile )
 {
+try {
 sal_uInt16  nOpcode;
 sal_uInt8   nOneByteOpcode;
 sal_uLong   nSize, nPercent, nLastPercent;
@@ -1950,6 +1951,10 @@ void PictReader::ReadPict( SvStream  rStreamPict, 
GDIMetaFile  rGDIMetaFile )
 pPict-SetEndian(nOrigNumberFormat);
 
 if (pPict-GetError()) pPict-Seek(nOrigPos);
+} catch (...)
+{
+rStreamPict.SetError(SVSTREAM_FILEFORMAT_ERROR);
+}
 }
 
 namespace pict {
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/eps/fail/short-1.eps |binary
 filter/source/graphicfilter/ieps/ieps.cxx   |   16 +---
 2 files changed, 9 insertions(+), 7 deletions(-)

New commits:
commit 0e5dbfa5f1213e0ae9b79f507ac78e99e35417aa
Author: Caolán McNamara caol...@redhat.com
Date:   Thu Jul 16 10:50:58 2015 +0100

min size of eps for a preview is 32

Change-Id: Icb82d9dd0a3918f2bdc4cb768c566774cd0d8ac4
(cherry picked from commit bf02304a0ea4771e01f39dd0032cbf276997ca00)
Reviewed-on: https://gerrit.libreoffice.org/17132
Tested-by: Jenkins c...@libreoffice.org
Reviewed-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/eps/fail/short-1.eps 
b/filter/qa/cppunit/data/eps/fail/short-1.eps
new file mode 100644
index 000..4b38b78
Binary files /dev/null and b/filter/qa/cppunit/data/eps/fail/short-1.eps differ
diff --git a/filter/source/graphicfilter/ieps/ieps.cxx 
b/filter/source/graphicfilter/ieps/ieps.cxx
index 730dd80..dc26939 100644
--- a/filter/source/graphicfilter/ieps/ieps.cxx
+++ b/filter/source/graphicfilter/ieps/ieps.cxx
@@ -69,7 +69,7 @@ static sal_uInt8* ImplSearchEntry( sal_uInt8* pSource, 
sal_uInt8 const * pDest,
 
 
 // SecurityCount is the buffersize of the buffer in which we will parse for a 
number
-static long ImplGetNumber( sal_uInt8 **pBuf, int nSecurityCount )
+static long ImplGetNumber( sal_uInt8 **pBuf, sal_uInt32 nSecurityCount )
 {
 boolbValid = true;
 boolbNegative = false;
@@ -502,7 +502,7 @@ void MakePreview(sal_uInt8* pBuf, sal_uInt32 nBytesRead,
 if ( pDest )
 {
 pDest += 16;
-int nCount = 4;
+sal_uInt32 nCount = 4;
 long nNumber = ImplGetNumber( pDest, nCount );
 if ( nCount  ( (sal_uInt32)nNumber  10 ) )
 {
@@ -595,14 +595,16 @@ GraphicImport( SvStream  rStream, Graphic  rGraphic, 
FilterConfigItem* )
 rStream.Seek( nPSStreamPos );
 sal_uInt8* pBuf = new sal_uInt8[ nPSSize ];
 
-sal_uInt32  nBufStartPos = rStream.Tell();
-sal_uInt32  nBytesRead = rStream.Read( pBuf, nPSSize );
+sal_uInt32 nBufStartPos = rStream.Tell();
+sal_uInt32 nBytesRead = rStream.Read( pBuf, nPSSize );
 if ( nBytesRead == nPSSize )
 {
-int nSecurityCount = 32;
-if ( !bHasPreview ) // if there is no tiff/wmf preview, we 
will parse for an preview in the eps prolog
+sal_uInt32 nSecurityCount = 32;
+// if there is no tiff/wmf preview, we will parse for an preview in
+// the eps prolog
+if (!bHasPreview  nBytesRead = nSecurityCount)
 {
-sal_uInt8* pDest = ImplSearchEntry( pBuf, 
reinterpret_castsal_uInt8 const *(%%BeginPreview:), nBytesRead - 32, 15 );
+sal_uInt8* pDest = ImplSearchEntry( pBuf, 
reinterpret_castsal_uInt8 const *(%%BeginPreview:), nBytesRead - 
nSecurityCount, 15 );
 if ( pDest  )
 {
 pDest += 15;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/tiff/fail/loop.tif   |binary
 filter/source/graphicfilter/itiff/itiff.cxx |   12 +++-
 2 files changed, 11 insertions(+), 1 deletion(-)

New commits:
commit 96aaf7114df2da0b7bdc86f5feef6137c7c1e44b
Author: Caolán McNamara caol...@redhat.com
Date:   Fri Jul 17 09:23:17 2015 +0100

detect loop in tif format

Change-Id: I27645566cd9fc0ac8cf753f0217ae6cf0fa9929e
(cherry picked from commit 290465b0effecb6d620adc20ca279f8057eeab9a)
Reviewed-on: https://gerrit.libreoffice.org/17149
Reviewed-by: David Tardon dtar...@redhat.com
Tested-by: David Tardon dtar...@redhat.com

diff --git a/filter/qa/cppunit/data/tiff/fail/loop.tif 
b/filter/qa/cppunit/data/tiff/fail/loop.tif
new file mode 100644
index 000..6d8cee7
Binary files /dev/null and b/filter/qa/cppunit/data/tiff/fail/loop.tif differ
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx 
b/filter/source/graphicfilter/itiff/itiff.cxx
index 84bff73..9ae2a06 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1210,9 +1210,19 @@ bool TIFFReader::ReadTIFF(SvStream  rTIFF, Graphic  
rGraphic )
 }
 while( nOffset );
 
+std::vectorsal_uInt32 aSeenIfds;
+
 for ( sal_uInt32 nNextIfd = nFirstIfd; nNextIfd  bStatus; )
 {
-pTIFF-Seek( nOrigPos + nNextIfd );
+if (std::find(aSeenIfds.begin(), aSeenIfds.end(), nNextIfd) != 
aSeenIfds.end())
+{
+SAL_WARN(filter.tiff, Parsing error:   nNextIfd 
+  already processed, format loop);
+bStatus = false;
+break;
+}
+pTIFF-Seek(nOrigPos + nNextIfd);
+aSeenIfds.push_back(nNextIfd);
 {
 bByteSwap = false;
 
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/met/fail/crash-1.met |binary
 filter/source/graphicfilter/ios2met/ios2met.cxx |7 ---
 2 files changed, 4 insertions(+), 3 deletions(-)

New commits:
commit e39e26533cba5be4445bdb39884bb1bc32083bbb
Author: Caolán McNamara caol...@redhat.com
Date:   Wed Jul 15 12:25:35 2015 +0100

bump size type

Change-Id: I2c32c253499a3efb22a3312ed1f0a608649ce124
(cherry picked from commit dc71a72753202d29544845cfd58992bac63c6837)
Reviewed-on: https://gerrit.libreoffice.org/17088
Reviewed-by: Michael Meeks michael.me...@collabora.com
Tested-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/met/fail/crash-1.met 
b/filter/qa/cppunit/data/met/fail/crash-1.met
new file mode 100644
index 000..c46b4a9
Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/crash-1.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx 
b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 7b024ae..944dab3 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -208,7 +208,7 @@ enum PenStyle { PEN_NULL, PEN_SOLID, PEN_DOT, PEN_DASH, 
PEN_DASHDOT };
 struct OSPalette {
 OSPalette * pSucc;
 sal_uInt32 * p0RGB; // May be NULL!
-sal_uInt16 nSize;
+size_t nSize;
 };
 
 struct OSArea {
@@ -733,12 +733,13 @@ void OS2METReader::SetPalette0RGB(sal_uInt16 nIndex, 
sal_uLong nCol)
 }
 if (pPaletteStack-p0RGB==NULL || nIndex=pPaletteStack-nSize) {
 sal_uInt32 * pOld0RGB=pPaletteStack-p0RGB;
-sal_uInt16 i,nOldSize=pPaletteStack-nSize;
+size_t nOldSize = pPaletteStack-nSize;
 if (pOld0RGB==NULL) nOldSize=0;
 pPaletteStack-nSize=2*(nIndex+1);
 if (pPaletteStack-nSize256) pPaletteStack-nSize=256;
 pPaletteStack-p0RGB = new sal_uInt32[pPaletteStack-nSize];
-for (i=0; ipPaletteStack-nSize; i++) {
+for (size_t i=0; i  pPaletteStack-nSize; ++i)
+{
 if (inOldSize) pPaletteStack-p0RGB[i]=pOld0RGB[i];
 else if (i==0) pPaletteStack-p0RGB[i]=0x00ff;
 else pPaletteStack-p0RGB[i]=0;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/met/pass/hang-2.met  |binary
 filter/source/graphicfilter/ios2met/ios2met.cxx |   33 ++--
 2 files changed, 26 insertions(+), 7 deletions(-)

New commits:
commit fdc0b506538560e13127a44a7de817412c13035b
Author: Caolán McNamara caol...@redhat.com
Date:   Wed Jul 15 12:59:55 2015 +0100

tools polygons limited to 16bit indexes

Change-Id: Ib0f727a3681492c15b807ca159d8bf7675ee8f29
(cherry picked from commit 89857aacac98f0f8e5dca4718affec493951f904)

WaE: C2220

Change-Id: Ibf9fa7ffc3beb237a470952c265fb1bce313a08a
(cherry picked from commit 8547c336b3253d90daae1c79a2b1a57996a39102)
Reviewed-on: https://gerrit.libreoffice.org/17091
Tested-by: Jenkins c...@libreoffice.org
Reviewed-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/met/pass/hang-2.met 
b/filter/qa/cppunit/data/met/pass/hang-2.met
new file mode 100644
index 000..84b432e
Binary files /dev/null and b/filter/qa/cppunit/data/met/pass/hang-2.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx 
b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 0553d1f..2ff00f6 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -1173,18 +1173,37 @@ void OS2METReader::ReadPartialArc(bool bGivenPos, 
sal_uInt16 nOrderSize)
 
 void OS2METReader::ReadPolygons()
 {
-sal_uInt32 i,j,nNumPolys, nNumPoints;
 tools::PolyPolygon aPolyPoly;
 Polygon aPoly;
 Point aPoint;
-sal_uInt8 nFlags;
 
-pOS2MET-ReadUChar( nFlags ).ReadUInt32( nNumPolys );
-for (i=0; inNumPolys; i++) {
-pOS2MET-ReadUInt32( nNumPoints );
-if (i==0) nNumPoints++;
+sal_uInt8 nFlags(0);
+sal_uInt32 nNumPolys(0);
+pOS2MET-ReadUChar(nFlags).ReadUInt32(nNumPolys);
+
+if (nNumPolys  SAL_MAX_UINT16)
+{
+pOS2MET-SetError(SVSTREAM_FILEFORMAT_ERROR);
+ErrorCode=11;
+return;
+}
+
+for (sal_uInt32 i=0; inNumPolys; ++i)
+{
+sal_uInt32 nNumPoints(0);
+pOS2MET-ReadUInt32(nNumPoints);
+sal_uInt32 nLimit = SAL_MAX_UINT16;
+if (i==0) --nLimit;
+if (nNumPoints  nLimit)
+{
+pOS2MET-SetError(SVSTREAM_FILEFORMAT_ERROR);
+ErrorCode=11;
+return;
+}
+if (i==0) ++nNumPoints;
 aPoly.SetSize((short)nNumPoints);
-for (j=0; jnNumPoints; j++) {
+for (sal_uInt32 j=0; jnNumPoints; ++j)
+{
 if (i==0  j==0) aPoint=aAttr.aCurPos;
 else aPoint=ReadPoint();
 aPoly.SetPoint(aPoint,(short)j);
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/pbm/fail/hang-1.pbm  |binary
 filter/qa/cppunit/data/pbm/indeterminate/.gitignore |1 +
 filter/qa/cppunit/data/pbm/pass/rhbz160429-1.pbm|binary
 filter/qa/cppunit/filters-ppm-test.cxx  |4 
 filter/source/graphicfilter/ipbm/ipbm.cxx   |2 +-
 5 files changed, 6 insertions(+), 1 deletion(-)

New commits:
commit c48004eb562a9c4b377cf31a09a04cb03abdc58e
Author: Caolán McNamara caol...@redhat.com
Date:   Wed Jul 15 14:01:46 2015 +0100

avoid hang in short pbm

Change-Id: I9b7f0832a4dc231e1e8f963858c155e3cd392667
(cherry picked from commit b8637e67d6d39e47d22cfce496000288f0dc58d8)
Reviewed-on: https://gerrit.libreoffice.org/17083
Tested-by: Jenkins c...@libreoffice.org
Reviewed-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/pbm/fail/.gitignore 
b/filter/qa/cppunit/data/pbm/fail/.gitignore
new file mode 100644
index 000..e69de29
diff --git a/filter/qa/cppunit/data/pbm/fail/hang-1.pbm 
b/filter/qa/cppunit/data/pbm/fail/hang-1.pbm
new file mode 100644
index 000..21742d2
Binary files /dev/null and b/filter/qa/cppunit/data/pbm/fail/hang-1.pbm differ
diff --git a/filter/qa/cppunit/data/pbm/indeterminate/.gitignore 
b/filter/qa/cppunit/data/pbm/indeterminate/.gitignore
new file mode 100644
index 000..e9c5b17
--- /dev/null
+++ b/filter/qa/cppunit/data/pbm/indeterminate/.gitignore
@@ -0,0 +1 @@
+*.ppm-*
diff --git a/filter/qa/cppunit/data/pbm/pass/.gitignore 
b/filter/qa/cppunit/data/pbm/pass/.gitignore
new file mode 100644
index 000..e69de29
diff --git a/filter/qa/cppunit/data/pbm/pass/rhbz160429-1.pbm 
b/filter/qa/cppunit/data/pbm/pass/rhbz160429-1.pbm
new file mode 100644
index 000..d6e3fc6
Binary files /dev/null and b/filter/qa/cppunit/data/pbm/pass/rhbz160429-1.pbm 
differ
diff --git a/filter/qa/cppunit/filters-ppm-test.cxx 
b/filter/qa/cppunit/filters-ppm-test.cxx
index e98ce6f..10f2658 100644
--- a/filter/qa/cppunit/filters-ppm-test.cxx
+++ b/filter/qa/cppunit/filters-ppm-test.cxx
@@ -62,6 +62,10 @@ void PpmFilterTest::testCVEs()
 testDir(OUString(),
 getURLFromSrc(/filter/qa/cppunit/data/ppm/),
 OUString());
+
+testDir(OUString(),
+getURLFromSrc(/filter/qa/cppunit/data/pbm/),
+OUString());
 }
 
 CPPUNIT_TEST_SUITE_REGISTRATION(PpmFilterTest);
diff --git a/filter/source/graphicfilter/ipbm/ipbm.cxx 
b/filter/source/graphicfilter/ipbm/ipbm.cxx
index 248d4df..e545334 100644
--- a/filter/source/graphicfilter/ipbm/ipbm.cxx
+++ b/filter/source/graphicfilter/ipbm/ipbm.cxx
@@ -179,7 +179,7 @@ bool PBMReader::ImplReadHeader()
 }
 while ( !bFinished )
 {
-if ( mrPBM.GetError() )
+if (!mrPBM.good())
 return false;
 
 mrPBM.ReadUChar( nDat );
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/met/fail/hang-1.met  |binary
 filter/source/graphicfilter/ios2met/ios2met.cxx |   12 +---
 2 files changed, 9 insertions(+), 3 deletions(-)

New commits:
commit 66744837834e86ea0b7227a704cd0f82f8bdc223
Author: Caolán McNamara caol...@redhat.com
Date:   Wed Jul 15 12:18:10 2015 +0100

don't hang with 0 len causing no progression

Change-Id: Ie553dab291c7bfbde033d89b84159aff6b42a160
(cherry picked from commit 15dfcb7f461893f83abcf28bfe01a4164209a160)
Reviewed-on: https://gerrit.libreoffice.org/17084
Reviewed-by: Michael Meeks michael.me...@collabora.com
Tested-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/met/fail/hang-1.met 
b/filter/qa/cppunit/data/met/fail/hang-1.met
new file mode 100644
index 000..c1a095d
Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/hang-1.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx 
b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 944dab3..0553d1f 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -2240,7 +2240,6 @@ void OS2METReader::ReadImageData(sal_uInt16 nDataID, 
sal_uInt16 nDataLen)
 void OS2METReader::ReadFont(sal_uInt16 nFieldSize)
 {
 sal_uLong nPos, nMaxPos;
-sal_uInt16 nLen;
 sal_uInt8 nByte, nTripType, nTripType2;
 OSFont * pF=new OSFont;
 pF-pSucc=pFontList; pFontList=pF;
@@ -2252,7 +2251,13 @@ void OS2METReader::ReadFont(sal_uInt16 nFieldSize)
 nMaxPos=nPos+(sal_uLong)nFieldSize;
 pOS2MET-SeekRel(2); nPos+=2;
 while (nPosnMaxPos  pOS2MET-GetError()==0) {
-pOS2MET-ReadUChar( nByte ); nLen =((sal_uInt16)nByte)  0x00ff;
+pOS2MET-ReadUChar( nByte );
+sal_uInt16 nLen = ((sal_uInt16)nByte)  0x00ff;
+if (nLen == 0)
+{
+pOS2MET-SetError(SVSTREAM_FILEFORMAT_ERROR);
+ErrorCode=4;
+}
 pOS2MET-ReadUChar( nTripType );
 switch (nTripType) {
 case 0x02:
@@ -2304,7 +2309,8 @@ void OS2METReader::ReadFont(sal_uInt16 nFieldSize)
 break;
 }
 }
-nPos+=nLen; pOS2MET-Seek(nPos);
+nPos+=nLen;
+pOS2MET-Seek(nPos);
 }
 }
 
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 dev/null|binary
 filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras |binary
 filter/source/graphicfilter/iras/iras.cxx   |   24 +++-
 3 files changed, 14 insertions(+), 10 deletions(-)

New commits:
commit a1fb6c1344f7e21ff6c8bf24c14e729c7ce69c71
Author: Caolán McNamara caol...@redhat.com
Date:   Wed Jul 15 11:31:18 2015 +0100

check stream state more often for failures

Change-Id: Ie45d858021c3123ec21829cbf4742cf30ce46665
(cherry picked from commit adfa89b5ffc3589b3a19a32e707a134cee232429)
Reviewed-on: https://gerrit.libreoffice.org/17071
Tested-by: Jenkins c...@libreoffice.org
Reviewed-by: Michael Meeks michael.me...@collabora.com
Tested-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/ras/pass/CVE-2008-1097-1.ras 
b/filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras
similarity index 100%
rename from filter/qa/cppunit/data/ras/pass/CVE-2008-1097-1.ras
rename to filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras
diff --git a/filter/source/graphicfilter/iras/iras.cxx 
b/filter/source/graphicfilter/iras/iras.cxx
index 6916daa..5877fa2 100644
--- a/filter/source/graphicfilter/iras/iras.cxx
+++ b/filter/source/graphicfilter/iras/iras.cxx
@@ -54,7 +54,7 @@ private:
 
 boolImplReadBody(BitmapWriteAccess * pAcc);
 boolImplReadHeader();
-sal_uInt8   ImplGetByte();
+sal_uInt8   ImplGetByte();
 
 public:
 RASReader(SvStream rRAS);
@@ -174,13 +174,11 @@ bool RASReader::ReadRAS(Graphic  rGraphic)
 return mbStatus;
 }
 
-
-
 bool RASReader::ImplReadHeader()
 {
 
m_rRAS.ReadInt32(mnWidth).ReadInt32(mnHeight).ReadInt32(mnDepth).ReadInt32(mnImageDatSize).ReadInt32(mnType).ReadInt32(mnColorMapType).ReadInt32(mnColorMapSize);
 
-if ( mnWidth = 0 || mnHeight = 0 || mnImageDatSize = 0 )
+if (mnWidth = 0 || mnHeight = 0 || mnImageDatSize = 0 || !m_rRAS.good())
 mbStatus = false;
 
 switch ( mnDepth )
@@ -222,7 +220,7 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 switch ( mnDstBitsPerPix )
 {
 case 1 :
-for ( y = 0; y  mnHeight; y++ )
+for (y = 0; y  mnHeight  mbStatus; ++y)
 {
 for ( x = 0; x  mnWidth; x++ )
 {
@@ -233,11 +231,13 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 nDat  ( ( x  7 ) ^ 7 )) );
 }
 if (!( ( x - 1 )  0x8 ) ) ImplGetByte();   // WORD 
ALIGNMENT ???
+if (!m_rRAS.good())
+mbStatus = false;
 }
 break;
 
 case 8 :
-for ( y = 0; y  mnHeight; y++ )
+for (y = 0; y  mnHeight  mbStatus; ++y)
 {
 for ( x = 0; x  mnWidth; x++ )
 {
@@ -245,6 +245,8 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 pAcc-SetPixelIndex( y, x, nDat );
 }
 if ( x  1 ) ImplGetByte(); // WORD 
ALIGNMENT ???
+if (!m_rRAS.good())
+mbStatus = false;
 }
 break;
 
@@ -253,7 +255,7 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 {
 
 case 24 :
-for ( y = 0; y  mnHeight; y++ )
+for (y = 0; y  mnHeight  mbStatus; ++y)
 {
 for ( x = 0; x  mnWidth; x++ )
 {
@@ -272,11 +274,13 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 pAcc-SetPixel ( y, x, BitmapColor( nRed, nGreen, 
nBlue ) );
 }
 if ( x  1 ) ImplGetByte(); // 
WORD ALIGNMENT ???
+if (!m_rRAS.good())
+mbStatus = false;
 }
 break;
 
 case 32 :
-for ( y = 0; y  mnHeight; y++ )
+for (y = 0; y  mnHeight  mbStatus; ++y)
 {
 for ( x = 0; x  mnWidth; x++ )
 {
@@ -295,6 +299,8 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 }
 pAcc-SetPixel ( y, x, BitmapColor( nRed, nGreen, 
nBlue ) );
 }
+if (!m_rRAS.good())
+mbStatus = false;
 }
 break;
 }
@@ -307,8 +313,6 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 return mbStatus;
 }
 
-
-
 sal_uInt8 RASReader::ImplGetByte()
 {
 sal_uInt8 nRetVal;
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/dxf/fail/hang-1.dxf|1 
 filter/qa/cppunit/data/dxf/pass/pyramid.dxf   |25008 ++
 filter/source/graphicfilter/idxf/dxfgrprd.cxx |3 
 3 files changed, 25010 insertions(+), 2 deletions(-)

New commits:
commit e25cbe0c47d1fbd57bb83856a750a8748fdce6bc
Author: Caolán McNamara caol...@redhat.com
Date:   Wed Jul 15 17:10:24 2015 +0100

don't hang if at end of stream

Change-Id: I497a30041ec667237c2aa64963dcefb67753e87c
(cherry picked from commit 5c8325325868753d2891556400c91651bce58402)
Reviewed-on: https://gerrit.libreoffice.org/17116
Reviewed-by: Michael Meeks michael.me...@collabora.com
Tested-by: Michael Meeks michael.me...@collabora.com

diff --git a/filter/qa/cppunit/data/dxf/fail/hang-1.dxf 
b/filter/qa/cppunit/data/dxf/fail/hang-1.dxf
new file mode 100644
index 000..d97edbb29
--- /dev/null
+++ b/filter/qa/cppunit/data/dxf/fail/hang-1.dxf
@@ -0,0 +1 @@
+99
\ No newline at end of file
diff --git a/filter/qa/cppunit/data/dxf/pass/pyramid.dxf 
b/filter/qa/cppunit/data/dxf/pass/pyramid.dxf
new file mode 100644
index 000..65cd5f83
--- /dev/null
+++ b/filter/qa/cppunit/data/dxf/pass/pyramid.dxf
@@ -0,0 +1,25008 @@
+0
+SECTION
+2
+HEADER
+9
+$ACADVER
+1
+AC1014
+9
+$ACADMAINTVER
+70
+8
+9
+$DWGCODEPAGE
+3
+ANSI_1252
+9
+$INSBASE
+10
+0.0
+20
+0.0
+30
+0.0
+9
+$EXTMIN
+10
+1.00E+20
+20
+1.00E+20
+30
+1.00E+20
+9
+$EXTMAX
+10
+-1.00E+20
+20
+-1.00E+20
+30
+-1.00E+20
+9
+$LIMMIN
+10
+0.0
+20
+0.0
+9
+$LIMMAX
+10
+12.0
+20
+9.0
+9
+$ORTHOMODE
+70
+0
+9
+$REGENMODE
+70
+1
+9
+$FILLMODE
+70
+1
+9
+$QTEXTMODE
+70
+0
+9
+$MIRRTEXT
+70
+1
+9
+$DRAGMODE
+70
+2
+9
+$LTSCALE
+40
+1.0
+9
+$OSMODE
+70
+0
+9
+$ATTMODE
+70
+1
+9
+$TEXTSIZE
+40
+0.2
+9
+$TRACEWID
+40
+0.05
+9
+$TEXTSTYLE
+7
+STANDARD
+9
+$CLAYER
+8
+0
+9
+$CELTYPE
+6
+BYLAYER
+9
+$CECOLOR
+62
+256
+9
+$CELTSCALE
+40
+1.0
+9
+$DELOBJ
+70
+1
+9
+$DISPSILH
+70
+0
+9
+$DIMSCALE
+40
+1.0
+9
+$DIMASZ
+40
+0.18
+9
+$DIMEXO
+40
+0.0625
+9
+$DIMDLI
+40
+0.38
+9
+$DIMRND
+40
+0.0
+9
+$DIMDLE
+40
+0.0
+9
+$DIMEXE
+40
+0.18
+9
+$DIMTP
+40
+0.0
+9
+$DIMTM
+40
+0.0
+9
+$DIMTXT
+40
+0.18
+9
+$DIMCEN
+40
+0.09
+9
+$DIMTSZ
+40
+0.0
+9
+$DIMTOL
+70
+0
+9
+$DIMLIM
+70
+0
+9
+$DIMTIH
+70
+1
+9
+$DIMTOH
+70
+1
+9
+$DIMSE1
+70
+0
+9
+$DIMSE2
+70
+0
+9
+$DIMTAD
+70
+0
+9
+$DIMZIN
+70
+0
+9
+$DIMBLK
+1
+
+9
+$DIMASO
+70
+1
+9
+$DIMSHO
+70
+1
+9
+$DIMPOST
+1
+
+9
+$DIMAPOST
+1
+
+9
+$DIMALT
+70
+0
+9
+$DIMALTD
+70
+2
+9
+$DIMALTF
+40
+25.4
+9
+$DIMLFAC
+40
+1.0
+9
+$DIMTOFL
+70
+0
+9
+$DIMTVP
+40
+0.0
+9
+$DIMTIX
+70
+0
+9
+$DIMSOXD
+70
+0
+9
+$DIMSAH
+70
+0
+9
+$DIMBLK1
+1
+
+9
+$DIMBLK2
+1
+
+9
+$DIMSTYLE
+2
+STANDARD
+9
+$DIMCLRD
+70
+0
+9
+$DIMCLRE
+70
+0
+9
+$DIMCLRT
+70
+0
+9
+$DIMTFAC
+40
+1.0
+9
+$DIMGAP
+40
+0.09
+9
+$DIMJUST
+70
+0
+9
+$DIMSD1
+70
+0
+9
+$DIMSD2
+70
+0
+9
+$DIMTOLJ
+70
+1
+9
+$DIMTZIN
+70
+0
+9
+$DIMALTZ
+70
+0
+9
+$DIMALTTZ
+70
+0
+9
+$DIMFIT
+70
+3
+9
+$DIMUPT
+70
+0
+9
+$DIMUNIT
+70
+2
+9
+$DIMDEC
+70
+4
+9
+$DIMTDEC
+70
+4
+9
+$DIMALTU
+70
+2
+9
+$DIMALTTD
+70
+2
+9
+$DIMTXSTY
+7
+STANDARD
+9
+$DIMAUNIT
+70
+0
+9
+$LUNITS
+70
+2
+9
+$LUPREC
+70
+4
+9
+$SKETCHINC
+40
+0.1
+9
+$FILLETRAD
+40
+0.5
+9
+$AUNITS
+70
+0
+9
+$AUPREC
+70
+0
+9
+$MENU
+1
+.
+9
+$ELEVATION
+40
+0.0
+9
+$PELEVATION
+40
+0.0
+9
+$THICKNESS
+40
+0.0
+9
+$LIMCHECK
+70
+0
+9
+$BLIPMODE
+70
+0
+9
+$CHAMFERA
+40
+0.5
+9
+$CHAMFERB
+40
+0.5
+9
+$CHAMFERC
+40
+1.0
+9
+$CHAMFERD
+40
+0.0
+9
+$SKPOLY
+70
+1
+9
+$TDCREATE
+40
+2451008.519973958
+9
+$TDUPDATE
+40
+2451008.523538426
+9
+$TDINDWG
+40
+0.002406
+9
+$TDUSRTIMER
+40
+0.002406
+9
+$USRTIMER
+70
+1
+9
+$ANGBASE
+50
+0.0
+9
+$ANGDIR
+70
+0
+9
+$PDMODE
+70
+0
+9
+$PDSIZE
+40
+0.0
+9
+$PLINEWID
+40
+0.0
+9
+$COORDS
+70
+1
+9
+$SPLFRAME
+70
+0
+9
+$SPLINETYPE
+70
+6
+9
+$SPLINESEGS
+70
+8
+9
+$ATTDIA
+70
+0
+9
+$ATTREQ
+70
+1
+9
+$HANDLING
+70
+1
+9
+$HANDSEED
+5
+5B
+9
+$SURFTAB1
+70
+6
+9
+$SURFTAB2
+70
+6
+9
+$SURFTYPE
+70
+6
+9
+$SURFU
+70
+6
+9
+$SURFV
+70
+6
+9
+$UCSNAME
+2
+
+9
+$UCSORG
+10
+0.0
+20
+0.0
+30
+0.0
+9
+$UCSXDIR
+10
+1.0
+20
+0.0
+30
+0.0
+9
+$UCSYDIR
+10
+0.0
+20
+1.0
+30
+0.0
+9
+$PUCSNAME
+2
+
+9
+$PUCSORG
+10
+0.0
+20
+0.0
+30
+0.0
+9
+$PUCSXDIR
+10
+1.0
+20
+0.0
+30
+0.0
+9
+$PUCSYDIR
+10
+0.0
+20
+1.0
+30
+0.0
+9
+$USERI1
+70
+0
+9
+$USERI2
+70
+0
+9
+$USERI3
+70
+0
+9
+$USERI4
+70
+0
+9
+$USERI5
+70
+0
+9
+$USERR1
+40
+0.0
+9
+$USERR2
+40
+0.0
+9
+$USERR3
+40
+0.0
+9
+$USERR4
+40
+0.0
+9
+$USERR5
+40
+0.0
+9
+$WORLDVIEW
+70
+1
+9
+$SHADEDGE
+70
+3
+9
+$SHADEDIF
+70
+70
+9
+$TILEMODE
+70
+1
+9
+$MAXACTVP
+70
+48
+9
+$PINSBASE
+10
+0.0
+20
+0.0
+30
+0.0
+9
+$PLIMCHECK
+70
+0
+9
+$PEXTMIN
+10
+1.00E+20
+20
+1.00E+20
+30
+1.00E+20
+9
+$PEXTMAX
+10
+-1.00E+20
+20
+-1.00E+20
+30
+-1.00E+20
+9
+$PLIMMIN
+10
+0.0
+20
+0.0
+9
+$PLIMMAX
+10
+12.0
+20
+9.0
+9
+$UNITMODE
+70
+0
+9
+$VISRETAIN
+70
+1
+9
+$PLINEGEN
+70
+0
+9
+$PSLTSCALE
+70
+1
+9
+$TREEDEPTH
+70
+3020
+9

[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/ras/fail/crash-1.ras |binary
 filter/source/graphicfilter/iras/iras.cxx   |   18 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

New commits:
commit eb70bf3e486102205cf609fa4c879564745eff17
Author: Caolán McNamara caol...@redhat.com
Date:   Wed Jul 15 11:02:13 2015 +0100

file format documentation states these are signed

Change-Id: Iaca58dda19d24a767333ff642759414951a03e6d
(cherry picked from commit 8a60e78769ebf6fc73ddc8ed7e43991fcb30fff4)
Reviewed-on: https://gerrit.libreoffice.org/17063
Reviewed-by: Michael Stahl mst...@redhat.com
Tested-by: Michael Stahl mst...@redhat.com

diff --git a/filter/qa/cppunit/data/ras/fail/crash-1.ras 
b/filter/qa/cppunit/data/ras/fail/crash-1.ras
new file mode 100644
index 000..d1abbae
Binary files /dev/null and b/filter/qa/cppunit/data/ras/fail/crash-1.ras differ
diff --git a/filter/source/graphicfilter/iras/iras.cxx 
b/filter/source/graphicfilter/iras/iras.cxx
index cca5bc8..6916daa 100644
--- a/filter/source/graphicfilter/iras/iras.cxx
+++ b/filter/source/graphicfilter/iras/iras.cxx
@@ -44,12 +44,12 @@ private:
 
 boolmbStatus;
 Bitmap  maBmp;
-sal_uInt32  mnWidth, mnHeight;  // Bildausmass in Pixeln
-sal_uInt16  mnDstBitsPerPix;
-sal_uInt16  mnDstColors;
-sal_uInt32  mnDepth, mnImageDatSize, mnType;
-sal_uInt32  mnColorMapType, mnColorMapSize;
-sal_uInt8   mnRepCount, mnRepVal;   // RLE Decoding
+sal_Int32   mnWidth, mnHeight;  // Bildausmass in Pixeln
+sal_uInt16  mnDstBitsPerPix;
+sal_uInt16  mnDstColors;
+sal_Int32   mnDepth, mnImageDatSize, mnType;
+sal_Int32   mnColorMapType, mnColorMapSize;
+sal_uInt8   mnRepCount, mnRepVal;   // RLE Decoding
 boolmbPalette;
 
 boolImplReadBody(BitmapWriteAccess * pAcc);
@@ -178,9 +178,9 @@ bool RASReader::ReadRAS(Graphic  rGraphic)
 
 bool RASReader::ImplReadHeader()
 {
-m_rRAS.ReadUInt32( mnWidth ).ReadUInt32( mnHeight ).ReadUInt32( mnDepth 
).ReadUInt32( mnImageDatSize ).ReadUInt32( mnType ).ReadUInt32( 
mnColorMapType ).ReadUInt32( mnColorMapSize );
+
m_rRAS.ReadInt32(mnWidth).ReadInt32(mnHeight).ReadInt32(mnDepth).ReadInt32(mnImageDatSize).ReadInt32(mnType).ReadInt32(mnColorMapType).ReadInt32(mnColorMapSize);
 
-if ( mnWidth == 0 || mnHeight == 0 )
+if ( mnWidth = 0 || mnHeight = 0 || mnImageDatSize = 0 )
 mbStatus = false;
 
 switch ( mnDepth )
@@ -216,7 +216,7 @@ bool RASReader::ImplReadHeader()
 
 bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc)
 {
-sal_uLong   x, y;
+sal_Int32 x, y;
 sal_uInt8   nDat = 0;
 sal_uInt8nRed, nGreen, nBlue;
 switch ( mnDstBitsPerPix )
___
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits