diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2022-05-23 14:57:18 +0200 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2022-05-23 18:17:10 +0200 |
| commit | 728ff63903083f3bc4321e8fbbb2c1d4b1755a0c (patch) | |
| tree | 79069d5c5cf67314dd2f5bd297dc6ae2437bb7ea | |
| parent | a14d8acb93717b958598421590831e8a92fde27c (diff) | |
Bad hack to silence UBSan nullptr-with-offset
...since e912a446210fdae61be3fc04d20d90488cedcdf6 "tiff: use more complicated
apis to need a smaller buffer during read" in CppunitTest_vcl_filters_test,
> [_RUN_____] TiffFilterTest::testCVEs
[...]
> tif_getimage.c:998:21: runtime error: applying zero offset to null pointer
> #0 0x7f487da9d408 in gtStripContig /workdir/UnpackedTarball/libtiff/libtiff/tif_getimage.c:998:21
> #1 0x7f487da97c27 in TIFFRGBAImageGet /workdir/UnpackedTarball/libtiff/libtiff/tif_getimage.c:512:12
> #2 0x7f487bd1a56c in ImportTiffGraphicImport(SvStream&, Graphic&) /vcl/source/filter/itiff/itiff.cxx:219:19
> #3 0x7f485d820126 in TiffFilterTest::load(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int) /vcl/qa/cppunit/graphicfilter/filters-tiff-test.cxx:70:12
> #4 0x7f485a49ffa0 in test::FiltersTest::recursiveScan(test::filterStatus, rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) /unotest/source/cpp/filters-test.cxx:132:20
> #5 0x7f485a4a3a52 in test::FiltersTest::testDir(rtl::OUString const&, std::basic_string_view<char16_t, std::char_traits<char16_t> >, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) /unotest/source/cpp/filters-test.cxx:157:5
> #6 0x7f485d8206f9 in TiffFilterTest::testCVEs() /vcl/qa/cppunit/graphicfilter/filters-tiff-test.cxx:76:5
(<https://ci.libreoffice.org/job/lo_ubsan/2406/>).
(If UBSan or some other tool starts to flag this too, we'll probably need to
pass in a nullptr after all and teach libtiff to treat that case specially and
not advance it.)
Change-Id: I4477e6c7036c3c5f2782c2c90c612d98fee60468
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/134822
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | vcl/source/filter/itiff/itiff.cxx | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/vcl/source/filter/itiff/itiff.cxx b/vcl/source/filter/itiff/itiff.cxx index 292621ed0b83..9f51e28df0a9 100644 --- a/vcl/source/filter/itiff/itiff.cxx +++ b/vcl/source/filter/itiff/itiff.cxx @@ -267,7 +267,14 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic& rGraphic) img.put.separate = putSeparatePixel; } - bOk = TIFFRGBAImageGet(&img, nullptr, w, img.height); + bOk = TIFFRGBAImageGet( + &img, reinterpret_cast<uint32_t *>(sizeof (uint32_t)), w, img.height); + // we don't access TIFFRGBAImageGet's raster argument in our custom putContigPixel/ + // putSeparatePixel functions, but TIFFRGBAImageGet nevertheless internally + // advances that pointer, so passing nullptr would cause UBSan nullptr-with-offset + // errors; while technically still UB, this HACK of passing a non-null pointer keeps + // UBSan happy for now (and better use an artificial pointer value which would + // hopefully cause SIGSEGV if it should erroneously be dereferenced after all) TIFFRGBAImageEnd(&img); } else |