diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2012-04-19 17:06:02 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2012-04-19 17:06:02 +0100 |
| commit | 77c82b7415c6033230a3d9653a7bd6df6f109729 (patch) | |
| tree | 31955ee9f51d1f5fa7cc367b5c2f3d57822c67a6 | |
| parent | eebc3e941131ffb09439f69313e697e0ed660135 (diff) | |
backport chunk sanity testlibreoffice-3-4
| -rw-r--r-- | basebmp/source/bitmapdevice.cxx | 13 | ||||
| -rw-r--r-- | vcl/source/gdi/pngread.cxx | 31 |
2 files changed, 33 insertions, 11 deletions
diff --git a/basebmp/source/bitmapdevice.cxx b/basebmp/source/bitmapdevice.cxx index 2cb144717c..f860920e6e 100644 --- a/basebmp/source/bitmapdevice.cxx +++ b/basebmp/source/bitmapdevice.cxx @@ -1825,14 +1825,23 @@ BitmapDeviceSharedPtr createBitmapDeviceImpl( const basegfx::B2IVector& r // factor in bottom-up scanline order case nScanlineStride *= bTopDown ? 1 : -1; - const std::size_t nMemSize( - (nScanlineStride < 0 ? -nScanlineStride : nScanlineStride)*rSize.getY() ); + const sal_uInt32 nWidth(nScanlineStride < 0 ? -nScanlineStride : nScanlineStride); + const sal_uInt32 nHeight(rSize.getY()); + + if (nHeight && nWidth && nWidth > SAL_MAX_INT32 / nHeight) + { + return BitmapDeviceSharedPtr(); + } + + const std::size_t nMemSize(nWidth * nHeight); if( !pMem ) { pMem.reset( reinterpret_cast<sal_uInt8*>(rtl_allocateMemory( nMemSize )), &rtl_freeMemory ); + if (pMem.get() == 0 && nMemSize != 0) + return BitmapDeviceSharedPtr(); rtl_zeroMemory(pMem.get(),nMemSize); } diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index 1858f76716..1f3c955d0c 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -203,6 +203,7 @@ PNGReaderImpl::PNGReaderImpl( SvStream& rPNGStream ) mpScanCurrent ( NULL ), mpColorTable ( (sal_uInt8*) mpDefaultColorTable ), mnPass ( 0 ), + mbPalette( sal_False ), mbzCodecInUse ( sal_False ), mbStatus( sal_True), mbIDAT( sal_False ), @@ -306,7 +307,7 @@ bool PNGReaderImpl::ReadNextChunk() nCRC32 = rtl_crc32( nCRC32, &rChunkData.aData[ 0 ], mnChunkLen ); maDataIter = rChunkData.aData.begin(); } - sal_uInt32 nCheck; + sal_uInt32 nCheck(0); mrPNGStream >> nCheck; if( nCRC32 != nCheck ) return false; @@ -348,14 +349,23 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint ) // reset to the first chunk maChunkIter = maChunkSeq.begin(); - // parse the chunks + // first chunk must be IDHR + if( mbStatus && ReadNextChunk() ) + { + if (mnChunkType == PNGCHUNK_IHDR) + mbStatus = ImplReadHeader( rPreviewSizeHint ); + else + mbStatus = false; + } + + // parse the remaining chunks while( mbStatus && !mbIDAT && ReadNextChunk() ) { switch( mnChunkType ) { case PNGCHUNK_IHDR : { - mbStatus = ImplReadHeader( rPreviewSizeHint ); + mbStatus = false; //IHDR should only appear as the first chunk } break; @@ -765,14 +775,17 @@ sal_Bool PNGReaderImpl::ImplReadTransparent() { if ( mnChunkLen <= 256 ) { + mbTransparent = true; mpTransTab = new sal_uInt8 [ 256 ]; rtl_fillMemory( mpTransTab, 256, 0xff ); - rtl_copyMemory( mpTransTab, &(*maDataIter), mnChunkLen ); - maDataIter += mnChunkLen; - mbTransparent = true; - // need alpha transparency if not on/off masking - for( int i = 0; i < mnChunkLen; ++i ) - bNeedAlpha |= (mpTransTab[i]!=0x00) && (mpTransTab[i]!=0xFF); + if (mnChunkLen > 0) + { + rtl_copyMemory( mpTransTab, &(*maDataIter), mnChunkLen ); + maDataIter += mnChunkLen; + // need alpha transparency if not on/off masking + for( int i = 0; i < mnChunkLen; ++i ) + bNeedAlpha |= (mpTransTab[i]!=0x00) && (mpTransTab[i]!=0xFF); + } } } break; |