png parsing regression test

12 files changed, 40 insertions, 11 deletions

diff --git a/basebmp/source/bitmapdevice.cxx b/basebmp/source/bitmapdevice.cxx
index 1586fce1cfb5..b3676c603edc 100644
--- a/basebmp/source/bitmapdevice.cxx
+++ b/basebmp/source/bitmapdevice.cxx
@@ -1881,8 +1881,16 @@ BitmapDeviceSharedPtr createBitmapDeviceImpl( const basegfx::B2IVector&
     // factor in bottom-up scanline order case
     nScanlineStride *= bTopDown ? 1 : -1;
 
-    const std::size_t nMemSize(
-        (nScanlineStride < 0 ? -nScanlineStride : nScanlineStride)*rSize.getY() );
+    const sal_uInt32 nWidth(nScanlineStride < 0 ? -nScanlineStride : nScanlineStride);
+    const sal_uInt32 nHeight(rSize.getY());
+
+    if (nHeight && nWidth && nWidth > SAL_MAX_INT32 / nHeight)
+    {
+        SAL_WARN( "basebmp", "suspicious massive alloc " << nWidth << " * " << nHeight);
+        return BitmapDeviceSharedPtr();
+    }
+
+    const std::size_t nMemSize(nWidth * nHeight);
 
     if( !pMem )
     {
diff --git a/svtools/qa/cppunit/data/png/fail/.gitignore b/svtools/qa/cppunit/data/png/fail/.gitignore
new file mode 100644
index 000000000000..e69de29bb2d1
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/fail/.gitignore
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png
new file mode 100644
index 000000000000..fa90a296f9fa
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/fail/CVE-2004-0597-1.png
@@ -0,0 +1,3 @@
+���#Mb��}��o7�2��~X��.^T�wB�!���f1������s�
�t��g��a2bA������Hb�"8��|��eGf�S$N0nI�֪�
+��0"�JG�z��ܢ(s?d)�"���GE��F��9~}��r�	
TΝp?���*�����ck�$E"�X�8�=2�T_3�v��#���$Hh4��J�Ki�݊J�&7r�����=u���69K�j��������Wh{���$�
dV��[��Ж��y\�%��%�ǾH�me���+
��}��gXI�2�>�*ī�&�������
)�̸6�pU�TjODh���1����-��<W��UR��K�591����M��?
+~��*Nr��u;���kh��X���{֍�Ԥ�' ӏw��F[���K�R�f�y��O��%0��ih�x׃���wz�4dT.�@�Xm4��i����p���Z��^��y����Я�`���_Y��?  �t�uw�4\k�d�J~m��g�`<2�l��n������*�
��k�h*n��w7��!�YIßP+hK��*Ԟ`�?����
\ No newline at end of file
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png
new file mode 100644
index 000000000000..d0644d139749
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/fail/CVE-2005-0633-1.png
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png
new file mode 100644
index 000000000000..9b30cc38c7db
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/fail/CVE-2006-7210-1.png
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png
new file mode 100644
index 000000000000..b9ff67bb8b81
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/fail/CVE-2007-2365-1.png
diff --git a/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png b/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png
new file mode 100644
index 000000000000..592fda10aa9e
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/fail/CVE-2009-1511-1.png
@@ -0,0 +1 @@
+���#Mb��}��o7�2͐~\��._舄�{���'p|&�F��/������
\ No newline at end of file
diff --git a/svtools/qa/cppunit/data/png/indeterminate/.gitignore b/svtools/qa/cppunit/data/png/indeterminate/.gitignore
new file mode 100644
index 000000000000..e69de29bb2d1
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/indeterminate/.gitignore
diff --git a/svtools/qa/cppunit/data/png/pass/.gitignore b/svtools/qa/cppunit/data/png/pass/.gitignore
new file mode 100644
index 000000000000..e69de29bb2d1
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/pass/.gitignore
diff --git a/svtools/qa/cppunit/data/png/pass/black.png b/svtools/qa/cppunit/data/png/pass/black.png
new file mode 100644
index 000000000000..cbba93bedd81
--- /dev/null
+++ b/svtools/qa/cppunit/data/png/pass/black.png
diff --git a/svtools/qa/cppunit/filters-test.cxx b/svtools/qa/cppunit/filters-test.cxx
index a1c4a44947fd..296d96e13f67 100644
--- a/svtools/qa/cppunit/filters-test.cxx
+++ b/svtools/qa/cppunit/filters-test.cxx
@@ -80,6 +80,10 @@ void SvtoolsFiltersTest::testCVEs()
     testDir(rtl::OUString(),
         getURLFromSrc("/svtools/qa/cppunit/data/sgv/"),
         rtl::OUString());
+
+    testDir(rtl::OUString(),
+        getURLFromSrc("/svtools/qa/cppunit/data/png/"),
+        rtl::OUString());
 }
 
 CPPUNIT_TEST_SUITE_REGISTRATION(SvtoolsFiltersTest);
diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index a85a8ecc3238..d279c0126e41 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -194,6 +194,7 @@ PNGReaderImpl::PNGReaderImpl( SvStream& rPNGStream )
     mpScanCurrent   ( NULL ),
     mpColorTable    ( (sal_uInt8*) mpDefaultColorTable ),
     mnPass ( 0 ),
+    mbPalette( sal_False ),
     mbzCodecInUse   ( sal_False ),
     mbStatus( sal_True),
     mbIDAT( sal_False ),
@@ -297,7 +298,7 @@ bool PNGReaderImpl::ReadNextChunk()
             nCRC32 = rtl_crc32( nCRC32, &rChunkData.aData[ 0 ], mnChunkLen );
             maDataIter = rChunkData.aData.begin();
         }
-        sal_uInt32 nCheck;
+        sal_uInt32 nCheck(0);
         mrPNGStream >> nCheck;
         if( nCRC32 != nCheck )
             return false;
@@ -339,14 +340,23 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint )
     // reset to the first chunk
     maChunkIter = maChunkSeq.begin();
 
-    // parse the chunks
+    // first chunk must be IDHR
+    if( mbStatus && ReadNextChunk() )
+    {
+        if (mnChunkType == PNGCHUNK_IHDR)
+            mbStatus = ImplReadHeader( rPreviewSizeHint );
+        else
+            mbStatus = false;
+    }
+
+    // parse the remaining chunks
     while( mbStatus && !mbIDAT && ReadNextChunk() )
     {
         switch( mnChunkType )
         {
             case PNGCHUNK_IHDR :
             {
-                mbStatus = ImplReadHeader( rPreviewSizeHint );
+                mbStatus = false; //IHDR should only appear as the first chunk
             }
             break;
 
@@ -756,14 +766,17 @@ sal_Bool PNGReaderImpl::ImplReadTransparent()
             {
                 if ( mnChunkLen <= 256 )
                 {
+                    mbTransparent = true;
                     mpTransTab = new sal_uInt8 [ 256 ];
                     rtl_fillMemory( mpTransTab, 256, 0xff );
-                    rtl_copyMemory( mpTransTab, &(*maDataIter), mnChunkLen );
-                    maDataIter += mnChunkLen;
-                    mbTransparent = true;
-                    // need alpha transparency if not on/off masking
-                    for( int i = 0; i < mnChunkLen; ++i )
-                       bNeedAlpha |= (mpTransTab[i]!=0x00) && (mpTransTab[i]!=0xFF);
+                    if (mnChunkLen > 0)
+                    {
+                        rtl_copyMemory( mpTransTab, &(*maDataIter), mnChunkLen );
+                        maDataIter += mnChunkLen;
+                        // need alpha transparency if not on/off masking
+                        for( int i = 0; i < mnChunkLen; ++i )
+                           bNeedAlpha |= (mpTransTab[i]!=0x00) && (mpTransTab[i]!=0xFF);
+                    }
                 }
             }
             break;