summaryrefslogtreecommitdiff
path: root/vcl/source/gdi
diff options
context:
space:
mode:
authorDavid Tardon <dtardon@redhat.com>2016-01-21 12:28:19 +0100
committerDavid Tardon <dtardon@redhat.com>2016-01-21 12:30:21 +0100
commit32b0e02e5b82a8a13822e115574c6b77e30127ef (patch)
tree860013797cd77f7bc679bf57e7c4e9827d742938 /vcl/source/gdi
parent8608b276aee2075ce06ff33bcbac8899d427ad51 (diff)
at least partially sanitize image dimensions
... to avoid enormous allocations later. Change-Id: I8ffb050f095bd7ba2fee5be738bb30cd45170b82
Diffstat (limited to 'vcl/source/gdi')
-rw-r--r--vcl/source/gdi/dibtools.cxx11
1 files changed, 11 insertions, 0 deletions
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx
index 59db04c7456d..e5b67fa6000c 100644
--- a/vcl/source/gdi/dibtools.cxx
+++ b/vcl/source/gdi/dibtools.cxx
@@ -301,6 +301,17 @@ bool ImplReadDIBInfoHeader(SvStream& rIStm, DIBV5Header& rHeader, bool& bTopDown
return false;
}
+ if (rHeader.nCompression == 0)
+ {
+ sal_uInt64 nMaxSize = rIStm.remainingSize();
+ if (rHeader.nHeight != 0)
+ nMaxSize /= rHeader.nHeight;
+ if (rHeader.nPlanes != 0)
+ nMaxSize /= rHeader.nPlanes;
+ if (sal_Int64(nMaxSize) < rHeader.nWidth)
+ return false;
+ }
+
return rIStm.good();
}