diff options
author | Caolán McNamara <caolanm@redhat.com> | 2012-04-19 20:46:59 +0100 |
---|---|---|
committer | Petr Mladek <pmladek@suse.cz> | 2012-04-23 17:19:20 +0200 |
commit | 15afc7ab406141983f8b64fca116586e3c1cb581 (patch) | |
tree | 24fc50e6e83049b2c89a4b20a094539dfbfcab08 /vcl | |
parent | ed5010f24fc3992945f72225e3d7d1351f048404 (diff) |
fail earlier on oversized images
Signed-off-by: Petr Mladek <pmladek@suse.cz>
Diffstat (limited to 'vcl')
-rw-r--r-- | vcl/source/gdi/pngread.cxx | 27 |
1 files changed, 19 insertions, 8 deletions
diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index 1c590b5ec905..2302e33524c8 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -620,14 +620,6 @@ sal_Bool PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) mnScansize = static_cast< sal_uInt32 >( nScansize64 ); - // TODO: switch between both scanlines instead of copying - mpInflateInBuf = new (std::nothrow) sal_uInt8[ mnScansize ]; - mpScanCurrent = mpInflateInBuf; - mpScanPrior = new (std::nothrow) sal_uInt8[ mnScansize ]; - - if ( !mpInflateInBuf || !mpScanPrior ) - return sal_False; - // calculate target size from original size and the preview hint if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() ) { @@ -662,6 +654,25 @@ sal_Bool PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) maTargetSize.Width() = (maOrigSize.Width() + mnPreviewMask) >> mnPreviewShift; maTargetSize.Height() = (maOrigSize.Height() + mnPreviewMask) >> mnPreviewShift; + //round bits up to nearest multiple of 8 and divide by 8 to get num of bytes per pixel + int nBytesPerPixel = ((mnTargetDepth + 7) & ~7)/8; + + //stupidly big, forget about it + if (maTargetSize.Width() >= SAL_MAX_INT32 / nBytesPerPixel / maTargetSize.Height()) + { + SAL_WARN( "vcl", "overlarge png dimensions: " << + maTargetSize.Width() << " x " << maTargetSize.Height() << " depth: " << mnTargetDepth); + return sal_False; + } + + // TODO: switch between both scanlines instead of copying + mpInflateInBuf = new (std::nothrow) sal_uInt8[ mnScansize ]; + mpScanCurrent = mpInflateInBuf; + mpScanPrior = new (std::nothrow) sal_uInt8[ mnScansize ]; + + if ( !mpInflateInBuf || !mpScanPrior ) + return sal_False; + mpBmp = new Bitmap( maTargetSize, mnTargetDepth ); mpAcc = mpBmp->AcquireWriteAccess(); if( !mpAcc ) |