diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-11-21 09:40:09 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-11-21 11:55:11 +0000 |
| commit | b5c51b706850f4fd86f26b17169a272ae02c3da8 (patch) | |
| tree | fd471f07d87aff12a809a4b235d5837fe3c9768b | |
| parent | af26bb77d2dd63fd6d5473c234f746b3b38dc3f6 (diff) | |
coverity#1242658 Untrusted loop bound
Change-Id: Ib3bb7f28b051c2886b470a77bdc6daf683a03f84
| -rw-r--r-- | filter/source/graphicfilter/ipict/ipict.cxx | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx index 852e69b7dd68..acef0b77ce3e 100644 --- a/filter/source/graphicfilter/ipict/ipict.cxx +++ b/filter/source/graphicfilter/ipict/ipict.cxx @@ -909,6 +909,19 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo if ( nRowBytes < 2 * nWidth ) BITMAPERROR; + size_t nMinRecordSize; + if ( nRowBytes < 8 || nPackType == 1 ) + nMinRecordSize = sizeof(sal_uInt16); + else if ( nRowBytes > 250 ) + nMinRecordSize = sizeof(sal_uInt16); + else + nMinRecordSize = 1; + + const size_t nMinRowWidth = nWidth * nMinRecordSize; + const size_t nMaxRows = pPict->remainingSize() / nMinRowWidth; + if (nHeight > nMaxRows) + BITMAPERROR; + for ( ny = 0; ny < nHeight; ny++ ) { nx = 0; @@ -1031,6 +1044,20 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo { if ( ( nCmpCount == 3 ) || ( nCmpCount == 4 ) ) { + size_t nMinRecordSize; + if (nRowBytes > 250) + nMinRecordSize = sizeof(sal_uInt16); + else + nMinRecordSize = 1; + + const size_t nMinRowWidth = nWidth * nMinRecordSize; + const size_t nMaxRows = pPict->remainingSize() / nMinRowWidth; + if (nHeight > nMaxRows) + BITMAPERROR; + const size_t nMaxWidth = pPict->remainingSize() / nHeight; + if (nWidth > nMaxWidth) + BITMAPERROR; + boost::scoped_array<sal_uInt8> pScanline(new sal_uInt8[static_cast<size_t>(nWidth) * nCmpCount]); for ( ny = 0; ny < nHeight; ny++ ) { |