summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2020-12-22 10:18:36 +0000
committerCaolán McNamara <caolanm@redhat.com>2020-12-22 13:56:35 +0100
commit127bfab61c297df06fd8e71e709bc4362cb89d21 (patch)
tree4b75487609a4e8db1db221167d23d5f44ebd0a78
parent77387ae00ae27e3f8bcdf7bccf97fb2db8f196b7 (diff)
oss-fuzz: pngfuzzer doesn't pass sanity check
Step #5: #6 0x63cceaf in __cxa_throw (/tmp/not-out/pngfuzzer+0x63cceaf) Step #5: #7 0x4f1999 in SvStream::ReadUInt32(unsigned int&) (/tmp/not-out/pngfuzzer+0x4f1999) Step #5: #8 0x6a8cd7 in vcl::PNGReaderImpl::PNGReaderImpl(SvStream&) (/tmp/not-out/pngfuzzer+0x6a8cd7) Step #5: #9 0x6b545f in vcl::PNGReader::PNGReader(SvStream&) (/tmp/not-out/pngfuzzer+0x6b545f) Change-Id: Ibf062f8d7dfbbab7bf57be7d4e837c3a8934a40e Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108154 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat
-rw-r--r--vcl/source/filter/png/pngread.cxx15
1 files changed, 10 insertions, 5 deletions
diff --git a/vcl/source/filter/png/pngread.cxx b/vcl/source/filter/png/pngread.cxx
index 5a4e113867c9..cda1c3e9e4b5 100644
--- a/vcl/source/filter/png/pngread.cxx
+++ b/vcl/source/filter/png/pngread.cxx
@@ -228,11 +228,16 @@ PNGReaderImpl::PNGReaderImpl( SvStream& rPNGStream )
mnStreamSize = mrPNGStream.TellEnd();
// check the PNG header magic
- sal_uInt32 nDummy = 0;
- mrPNGStream.ReadUInt32( nDummy );
- mbStatus = (nDummy == 0x89504e47);
- mrPNGStream.ReadUInt32( nDummy );
- mbStatus = (nDummy == 0x0d0a1a0a) && mbStatus;
+ if (mnStreamSize < 8)
+ mbStatus = false;
+ else
+ {
+ sal_uInt32 nDummy = 0;
+ mrPNGStream.ReadUInt32( nDummy );
+ mbStatus = (nDummy == 0x89504e47);
+ mrPNGStream.ReadUInt32( nDummy );
+ mbStatus = (nDummy == 0x0d0a1a0a) && mbStatus;
+ }
mnPreviewShift = 0;
mnPreviewMask = (1 << mnPreviewShift) - 1;
generated by cgit (git 2.34.1) at 2025-02-11 17:07:02 +0000