lo/core - LibreOffice 核心代码仓库

diff options

author	Stephan Bergmann <sbergman@redhat.com>	2022-07-20 14:27:37 +0200
committer	Stephan Bergmann <sbergman@redhat.com>	2022-07-20 21:43:44 +0200
commit	eda0c48278da6549c01c9f0ce4f469249e420d63 (patch)
tree	e9c584da8f1c1832134eafbac688f85d61eb3d8a /sal
parent	2f3b87d18a688b022a18a8b20b69b10cd6af7748 (diff)

Make combineScanlineChannels stop before padding bytes

At <https://ci.libreoffice.org/job/lo_ubsan/2467>, CppunitTest_sd_export_tests-ooxml1 failed with > ==4831==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000211c54 at pc 0x7fcdcb44093f bp 0x7ffe85792760 sp 0x7ffe85792758 > READ of size 1 at 0x629000211c54 thread T0 > #0 0x7fcdcb44093e in (anonymous namespace)::combineScanlineChannels(unsigned char*, unsigned char*, unsigned char*, unsigned int) /vcl/source/filter/png/PngImageWriter.cxx:27:22 > #1 0x7fcdcb43fbaf in vcl::pngWrite(SvStream&, BitmapEx const&, int, bool, bool, std::__debug::vector<vcl::PngChunk, std::allocator<vcl::PngChunk> > const&) /vcl/source/filter/png/PngImageWriter.cxx:231:21 > #2 0x7fcdcb43ce80 in vcl::PngImageWriter::write(BitmapEx const&) /vcl/source/filter/png/PngImageWriter.cxx:318:12 > #3 0x7fcdcaf04bc1 in GraphicFilter::ExportGraphic(Graphic const&, std::basic_string_view<char16_t, std::char_traits<char16_t> >, SvStream&, unsigned short, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const*) /vcl/source/filter/graphicfilter.cxx:1801:28 > 0x629000211c54 is located 0 bytes to the right of 19028-byte region [0x62900020d200,0x629000211c54) > allocated by thread T0 here: > #0 0x4fd898 in operator new[](unsigned long) /home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_new_delete.cpp:102 > #1 0x7fcdcbcbd50b in ImplCreateDIB(Size const&, vcl::PixelFormat, BitmapPalette const&) /vcl/headless/svpbmp.cxx:123:24 > #2 0x7fcdcbcbb483 in SvpSalBitmap::Create(Size const&, vcl::PixelFormat, BitmapPalette const&) /vcl/headless/svpbmp.cxx:152:13 > #3 0x7fcdca406c59 in Bitmap::Bitmap(Size const&, vcl::PixelFormat, BitmapPalette const*) /vcl/source/bitmap/bitmap.cxx:136:15 because for the given N24BitTcBgr bitmap of size 89x71 we have pAccess->GetScanlineSize() = 268 = 89 * 3 + 1, so combineScanlineChannels wanted to erroneously read an excessive 90th RGB triplet. Change-Id: Ida117999de075b8906f43bfe4c2b7fa98df80b0f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/137261 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sbergman@redhat.com>

Diffstat (limited to 'sal')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: