diff options
| author | David Tardon <dtardon@redhat.com> | 2016-01-22 19:25:12 +0100 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2016-02-05 15:32:55 +0000 |
| commit | 9f9d679e72ca473c39ae31a284f85dd7a17e1ca3 (patch) | |
| tree | 24530d773e0bdef6236b49f82ad947b2c4a0069b /vcl | |
| parent | 3d1638e9deded1b10a38720ef61077ebb8881d47 (diff) | |
iat least partially sanitize image dimensions
... to avoid enormous allocations later.
(cherry picked from commit 93ca0057d6eca140764de446ba9b7d4128e88205)
Change-Id: Id178a17d2b901b7f59eab43c7d0f0074518b6c32
Reviewed-on: https://gerrit.libreoffice.org/21790
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Diffstat (limited to 'vcl')
| -rw-r--r-- | vcl/source/gdi/dibtools.cxx | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx index 46305a5a87b7..96f5c328a479 100644 --- a/vcl/source/gdi/dibtools.cxx +++ b/vcl/source/gdi/dibtools.cxx @@ -469,13 +469,8 @@ bool ImplDecodeRLE( sal_uInt8* pBuffer, DIBV5Header& rHeader, BitmapWriteAccess& return true; } -bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, BitmapWriteAccess* pAccAlpha, bool bTopDown, bool& rAlphaUsed) +bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& rAcc, BitmapWriteAccess* pAccAlpha, bool bTopDown, bool& rAlphaUsed, const sal_uInt64 nAlignedWidth) { - const sal_Int64 nBitsPerLine (static_cast<sal_Int64>(rHeader.nWidth) * static_cast<sal_Int64>(rHeader.nBitCount)); - if (nBitsPerLine > SAL_MAX_UINT32) - return false; - - const sal_uLong nAlignedWidth = AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine)); sal_uInt32 nRMask(( rHeader.nBitCount == 16 ) ? 0x00007c00UL : 0x00ff0000UL); sal_uInt32 nGMask(( rHeader.nBitCount == 16 ) ? 0x000003e0UL : 0x0000ff00UL); sal_uInt32 nBMask(( rHeader.nBitCount == 16 ) ? 0x0000001fUL : 0x000000ffUL); @@ -849,6 +844,21 @@ bool ImplReadDIBBody( SvStream& rIStm, Bitmap& rBmp, AlphaMask* pBmpAlpha, sal_u pIStm = &rIStm; } + const sal_Int64 nBitsPerLine (static_cast<sal_Int64>(aHeader.nWidth) * static_cast<sal_Int64>(aHeader.nBitCount)); + if (nBitsPerLine > SAL_MAX_UINT32) + return false; + const sal_uInt64 nAlignedWidth(AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine))); + + // (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged + if (aHeader.nCompression == ZCOMPRESS || aHeader.nCompression == COMPRESS_NONE) + { + sal_uInt64 nMaxWidth = pIStm->remainingSize(); + if (aHeader.nHeight != 0) + nMaxWidth /= aHeader.nHeight; + if (nMaxWidth < nAlignedWidth) + return false; + } + const Size aSizePixel(aHeader.nWidth, aHeader.nHeight); BitmapPalette aDummyPal; Bitmap aNewBmp(aSizePixel, nBitCount, &aDummyPal); @@ -885,6 +895,7 @@ bool ImplReadDIBBody( SvStream& rIStm, Bitmap& rBmp, AlphaMask* pBmpAlpha, sal_u aNewBmpAlpha = AlphaMask(aSizePixel); pAccAlpha = aNewBmpAlpha.AcquireWriteAccess(); } + // read palette if(nColors) { @@ -902,7 +913,7 @@ bool ImplReadDIBBody( SvStream& rIStm, Bitmap& rBmp, AlphaMask* pBmpAlpha, sal_u pIStm->SeekRel(nOffset - (pIStm->Tell() - nStmPos)); } - bRet = ImplReadDIBBits(*pIStm, aHeader, *pAcc, pAccAlpha, bTopDown, bAlphaUsed); + bRet = ImplReadDIBBits(*pIStm, aHeader, *pAcc, pAccAlpha, bTopDown, bAlphaUsed, nAlignedWidth); if(bRet && aHeader.nXPelsPerMeter && aHeader.nYPelsPerMeter) { |