openoffice-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dam...@apache.org
Subject svn commit: r1816295 - /openoffice/trunk/main/vcl/source/gdi/pngread.cxx
Date Sat, 25 Nov 2017 13:21:24 GMT
Author: damjan
Date: Sat Nov 25 13:21:24 2017
New Revision: 1816295

URL: http://svn.apache.org/viewvc?rev=1816295&view=rev
Log:
Add range checking to PNG palette indexes,
as per OSS-Fuzz issue 574.

Patch by: me


Modified:
    openoffice/trunk/main/vcl/source/gdi/pngread.cxx

Modified: openoffice/trunk/main/vcl/source/gdi/pngread.cxx
URL: http://svn.apache.org/viewvc/openoffice/trunk/main/vcl/source/gdi/pngread.cxx?rev=1816295&r1=1816294&r2=1816295&view=diff
==============================================================================
--- openoffice/trunk/main/vcl/source/gdi/pngread.cxx (original)
+++ openoffice/trunk/main/vcl/source/gdi/pngread.cxx Sat Nov 25 13:21:24 2017
@@ -36,6 +36,7 @@
 #include <vcl/svapp.hxx>
 #include <vcl/alpha.hxx>
 #include <osl/endian.h>
+#include <com/sun/star/lang/IndexOutOfBoundsException.hpp>
 
 // -----------
 // - Defines -
@@ -296,7 +297,7 @@ bool PNGReaderImpl::ReadNextChunk()
         if( mnChunkLen < 0 )
             return false;
         const sal_Size nStreamPos = mrPNGStream.Tell();
-        if( nStreamPos + mnChunkLen >= mnStreamSize )
+        if( nStreamPos + mnChunkLen + 4 >= mnStreamSize )
             return false;
 
         // calculate chunktype CRC (swap it back to original byte order)
@@ -434,7 +435,16 @@ BitmapEx PNGReaderImpl::GetBitmapEx( con
 				if ( !mpInflateInBuf )	// taking care that the header has properly been read
 					mbStatus = sal_False;
 				else if ( !mbIDAT )		// the gfx is finished, but there may be left a zlibCRC of about
4Bytes
-					ImplReadIDAT();
+				{
+					try
+					{
+						ImplReadIDAT();
+					}
+					catch (::com::sun::star::lang::IndexOutOfBoundsException&)
+					{
+						mbStatus = sal_False;
+					}
+				}
 			}
 			break;
 
@@ -1644,6 +1654,8 @@ void PNGReaderImpl::ImplSetPixel( sal_uI
         return;
     nX >>= mnPreviewShift;
 
+    if (nPalIndex >= mpAcc->GetPaletteEntryCount())
+        throw ::com::sun::star::lang::IndexOutOfBoundsException();
     mpAcc->SetPixelIndex( nY, nX, nPalIndex );
 }
 
@@ -1674,6 +1686,8 @@ void PNGReaderImpl::ImplSetAlphaPixel( s
         return;
     nX >>= mnPreviewShift;
 
+    if (nPalIndex >= mpAcc->GetPaletteEntryCount())
+        throw ::com::sun::star::lang::IndexOutOfBoundsException();
     mpAcc->SetPixelIndex( nY, nX, nPalIndex );
     mpMaskAcc->SetPixelIndex( nY, nX, ~nAlpha );
 }



Mime
View raw message