diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-07-15 11:31:18 +0100 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2015-08-03 17:51:23 +0200 |
| commit | cd6623f51f36a3cc575ee56da9f0a99ae7e5a70b (patch) | |
| tree | d403fa464db4a6c5cda8b30b70d8b04c20edc74d | |
| parent | c22ac6d4a2d8b9e8875060c4468acb69eb35521d (diff) | |
check stream state more often for failures
Change-Id: Ie45d858021c3123ec21829cbf4742cf30ce46665
(cherry picked from commit adfa89b5ffc3589b3a19a32e707a134cee232429)
Reviewed-on: https://gerrit.libreoffice.org/17072
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Michael Meeks <michael.meeks@collabora.com>
| -rw-r--r-- | filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras (renamed from filter/qa/cppunit/data/ras/pass/CVE-2008-1097-1.ras) | bin | 92752 -> 92752 bytes | |||
| -rw-r--r-- | filter/source/graphicfilter/iras/iras.cxx | 24 |
2 files changed, 14 insertions, 10 deletions
diff --git a/filter/qa/cppunit/data/ras/pass/CVE-2008-1097-1.ras b/filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras Binary files differindex effd654ac5e4..effd654ac5e4 100644 --- a/filter/qa/cppunit/data/ras/pass/CVE-2008-1097-1.ras +++ b/filter/qa/cppunit/data/ras/fail/CVE-2008-1097-1.ras diff --git a/filter/source/graphicfilter/iras/iras.cxx b/filter/source/graphicfilter/iras/iras.cxx index 2f441cf8cc12..61d5128b2320 100644 --- a/filter/source/graphicfilter/iras/iras.cxx +++ b/filter/source/graphicfilter/iras/iras.cxx @@ -54,7 +54,7 @@ private: bool ImplReadBody(BitmapWriteAccess * pAcc); bool ImplReadHeader(); - sal_uInt8 ImplGetByte(); + sal_uInt8 ImplGetByte(); public: RASReader(SvStream &rRAS); @@ -174,13 +174,11 @@ bool RASReader::ReadRAS(Graphic & rGraphic) return mbStatus; } - - bool RASReader::ImplReadHeader() { m_rRAS.ReadInt32(mnWidth).ReadInt32(mnHeight).ReadInt32(mnDepth).ReadInt32(mnImageDatSize).ReadInt32(mnType).ReadInt32(mnColorMapType).ReadInt32(mnColorMapSize); - if ( mnWidth <= 0 || mnHeight <= 0 || mnImageDatSize <= 0 ) + if (mnWidth <= 0 || mnHeight <= 0 || mnImageDatSize <= 0 || !m_rRAS.good()) mbStatus = false; switch ( mnDepth ) @@ -222,7 +220,7 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) switch ( mnDstBitsPerPix ) { case 1 : - for ( y = 0; y < mnHeight; y++ ) + for (y = 0; y < mnHeight && mbStatus; ++y) { for ( x = 0; x < mnWidth; x++ ) { @@ -233,11 +231,13 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) nDat >> ( ( x & 7 ) ^ 7 )) ); } if (!( ( x - 1 ) & 0x8 ) ) ImplGetByte(); // WORD ALIGNMENT ??? + if (!m_rRAS.good()) + mbStatus = false; } break; case 8 : - for ( y = 0; y < mnHeight; y++ ) + for (y = 0; y < mnHeight && mbStatus; ++y) { for ( x = 0; x < mnWidth; x++ ) { @@ -245,6 +245,8 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) pAcc->SetPixelIndex( y, x, nDat ); } if ( x & 1 ) ImplGetByte(); // WORD ALIGNMENT ??? + if (!m_rRAS.good()) + mbStatus = false; } break; @@ -253,7 +255,7 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) { case 24 : - for ( y = 0; y < mnHeight; y++ ) + for (y = 0; y < mnHeight && mbStatus; ++y) { for ( x = 0; x < mnWidth; x++ ) { @@ -272,11 +274,13 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) pAcc->SetPixel ( y, x, BitmapColor( nRed, nGreen, nBlue ) ); } if ( x & 1 ) ImplGetByte(); // WORD ALIGNMENT ??? + if (!m_rRAS.good()) + mbStatus = false; } break; case 32 : - for ( y = 0; y < mnHeight; y++ ) + for (y = 0; y < mnHeight && mbStatus; ++y) { for ( x = 0; x < mnWidth; x++ ) { @@ -295,6 +299,8 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) } pAcc->SetPixel ( y, x, BitmapColor( nRed, nGreen, nBlue ) ); } + if (!m_rRAS.good()) + mbStatus = false; } break; } @@ -307,8 +313,6 @@ bool RASReader::ImplReadBody(BitmapWriteAccess * pAcc) return mbStatus; } - - sal_uInt8 RASReader::ImplGetByte() { sal_uInt8 nRetVal; |