nFrames can't be trusted to believe nSequence exists

Change-Id: Id4745487c97ce89fcf149676c15a974e40ee0eb6 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/156925 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
author: Caolán McNamara <caolan.mcnamara@collabora.com> 2023-09-14 17:41:08 +0100
committer: Caolán McNamara <caolan.mcnamara@collabora.com> 2023-09-14 21:07:47 +0200
commit: b34359bcf2f387bc250411a3b78ffcde88329b0e (patch)
tree: 3222037626407ea29b3755d91e229a808950cdab /vcl
parent: 0aa3e40a733230ae439c98244f6db2f97ede1b01 (diff)
1 files changed, 8 insertions, 5 deletions
diff --git a/vcl/source/filter/png/PngImageReader.cxx b/vcl/source/filter/png/PngImageReader.cxx
index f0236490d773..8b6e319a473c 100644
--- a/vcl/source/filter/png/PngImageReader.cxx
+++ b/vcl/source/filter/png/PngImageReader.cxx
@@ -699,9 +699,12 @@ bool reader(SvStream& rStream, Graphic& rGraphic,
         }
         for (sal_uInt32 i = 0; i < nFrames; i++)
         {
-            // Guaranteed to be fcTL chunk here because it was checked earlier
             fcTLChunk* aFctlChunk
-                = static_cast<fcTLChunk*>(aAPNGInfo.maFrameData[nSequenceIndex++].get());
+                = nSequenceIndex < aAPNGInfo.maFrameData.size()
+                      ? dynamic_cast<fcTLChunk*>(aAPNGInfo.maFrameData[nSequenceIndex++].get())
+                      : nullptr;
+            if (!aFctlChunk)
+                return false;
             Disposal aDisposal = static_cast<Disposal>(aFctlChunk->dispose_op);
             Blend aBlend = static_cast<Blend>(aFctlChunk->blend_op);
             if (i == 0 && aDisposal == Disposal::Back)
@@ -710,7 +713,9 @@ bool reader(SvStream& rStream, Graphic& rGraphic,
             getImportantChunks(rStream, aFrameStream, aFctlChunk->width, aFctlChunk->height);
             // A single frame can have multiple fdAT chunks
             while (fdATChunk* pFdatChunk
-                   = dynamic_cast<fdATChunk*>(aAPNGInfo.maFrameData[nSequenceIndex].get()))
+                   = nSequenceIndex < aAPNGInfo.maFrameData.size()
+                         ? dynamic_cast<fdATChunk*>(aAPNGInfo.maFrameData[nSequenceIndex].get())
+                         : nullptr)
             {
                 // Write fdAT chunks as IDAT chunks
                 auto nDataSize = pFdatChunk->frame_data.size();
@@ -719,8 +724,6 @@ bool reader(SvStream& rStream, Graphic& rGraphic,
                 sal_uInt32 nCrc = rtl_crc32(0, pFdatChunk->frame_data.data(), nDataSize);
                 aFrameStream.WriteUInt32(nCrc);
                 nSequenceIndex++;
-                if (nSequenceIndex >= aAPNGInfo.maFrameData.size())
-                    break;
             }
             aFrameStream.WriteUInt32(PNG_IEND_SIZE);
             aFrameStream.WriteUInt32(PNG_IEND_SIGNATURE);
author	Caolán McNamara <caolan.mcnamara@collabora.com>	2023-09-14 17:41:08 +0100
committer	Caolán McNamara <caolan.mcnamara@collabora.com>	2023-09-14 21:07:47 +0200
commit	b34359bcf2f387bc250411a3b78ffcde88329b0e (patch)
tree	3222037626407ea29b3755d91e229a808950cdab /vcl
parent	0aa3e40a733230ae439c98244f6db2f97ede1b01 (diff)