From a7815e365bdb5544a0a9c63c6d730cf591f286d7 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 30 Jan 2019 13:36:01 +0000
Subject: Resolves: tdf#122958 bmps with weird compression values that work in
 mso
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: Ie1887288cba7c1d56b807dbc9ddb886b9d20ff33
Reviewed-on: https://gerrit.libreoffice.org/67145
Tested-by: Jenkins
Tested-by: Xisco Faulí <xiscofauli@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 .../graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf      | Bin 4192 -> 0 bytes
 .../graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf      | Bin 0 -> 4192 bytes
 vcl/source/gdi/dibtools.cxx                              |  14 ++++++++++++--
 3 files changed, 12 insertions(+), 2 deletions(-)
 delete mode 100644 vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf
 create mode 100644 vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf

(limited to 'vcl')

diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf
deleted file mode 100644
index 1512a2256bc2..000000000000
Binary files a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf and /dev/null differ
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf
new file mode 100644
index 000000000000..1512a2256bc2
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf differ
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx
index de8615226492..4088d6287894 100644
--- a/vcl/source/gdi/dibtools.cxx
+++ b/vcl/source/gdi/dibtools.cxx
@@ -939,6 +939,18 @@ bool ImplReadDIBBody(SvStream& rIStm, Bitmap& rBmp, AlphaMask* pBmpAlpha, sal_uL
         }
         case BITFIELDS:
             break;
+        default:
+            // tdf#122958 invalid compression value used
+            if (aHeader.nCompression & 0x000F)
+            {
+                // lets assume that there was an error in the generating application
+                // and allow through as COMPRESS_NONE if the bottom byte is 0
+                SAL_WARN( "vcl", "bad bmp compression scheme: " << aHeader.nCompression << ", rejecting bmp");
+                return false;
+            }
+            else
+                SAL_WARN( "vcl", "bad bmp compression scheme: " << aHeader.nCompression << ", assuming meant to be COMPRESS_NONE");
+            SAL_FALLTHROUGH;
         case ZCOMPRESS:
         case COMPRESS_NONE:
         {
@@ -950,8 +962,6 @@ bool ImplReadDIBBody(SvStream& rIStm, Bitmap& rBmp, AlphaMask* pBmpAlpha, sal_uL
                 return false;
             break;
         }
-        default:
-            return false;
     }
 
     const Size aSizePixel(aHeader.nWidth, aHeader.nHeight);
-- 
cgit v1.2.3