diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2017-11-21 08:58:04 +0100 |
|---|---|---|
| committer | Thorsten Behrens <Thorsten.Behrens@CIB.de> | 2017-11-21 11:45:39 +0100 |
| commit | a8d5473a127f82f594346cdd85a9ca08dbe3b624 (patch) | |
| tree | 74ba7eb43c54419208ecb9fc9fc75f51ad60750e /vcl/source | |
| parent | 600fd17be36bb37a4f439c2c8b812d46fae2007f (diff) | |
fix ASan heap-buffer-overflow
e.g. during CppunitTest_sd_misc_tests (see
<https://ci.libreoffice.org/job/lo_ubsan/735/console>) after
66dbd4da3afcadb1393daf9be9cecff71b86509a "tdf#113918: Workaround: Load 1bpp
indexed PNG as 8bpp indexed Bitmap". Looks like PNGReaderImpl::ImplDrawScanline
also needs to special-case mnPngDepth == 1 in the mbTransparent case (and, TODO,
also in the mbAlphaChannel case)?
Change-Id: Ie6a0230ec606f7cc5aaf174b9c0075a3b4cb5b1d
(cherry picked from commit bb11e1283e3d49ec1bfe14c4271edbd49af3e3c1)
Reviewed-on: https://gerrit.libreoffice.org/45021
Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Diffstat (limited to 'vcl/source')
| -rw-r--r-- | vcl/source/gdi/pngread.cxx | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index 8100d7116ee3..6850e13bc802 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -1331,6 +1331,22 @@ void PNGReaderImpl::ImplDrawScanline( sal_uInt32 nXStart, sal_uInt32 nXAdd ) for ( long nX = nXStart; nX < maOrigSize.Width(); nX += nXAdd, pTmp++ ) ImplSetAlphaPixel( nY, nX, *pTmp, mpTransTab[ *pTmp ] ); } + else if (mnPngDepth == 1 ) + { + for ( long nX = nXStart, nShift = 0; nX < maOrigSize.Width(); nX += nXAdd ) + { + nShift = (nShift - 1) & 7; + + sal_uInt8 nCol; + if ( nShift == 0 ) + nCol = *(pTmp++); + else + nCol = static_cast<sal_uInt8>( *pTmp >> nShift ); + nCol &= 1; + + ImplSetAlphaPixel( nY, nX, nCol, mpTransTab[ nCol ] ); + } + } else { for ( long nX = nXStart; nX < maOrigSize.Width(); nX += nXAdd, pTmp += 2 ) |