diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2019-06-22 21:44:18 +0200 |
|---|---|---|
| committer | Stephan Bergmann <sbergman@redhat.com> | 2019-06-23 17:31:02 +0200 |
| commit | 8e7f87e7561197f03542a80aaa612a2b6f964d40 (patch) | |
| tree | b3098ede431b1b89d77b68505da5daed0db5e3a4 /vcl | |
| parent | 92cf12ea025dfda642809d297a015131c1925052 (diff) | |
Also treat negative DIBInfoHeader::nX/YPelsPerMeter as an error
According to
<https://docs.microsoft.com/en-us/previous-versions/dd183376(v=vs.85)>
"BITMAPINFOHEADER structure", all of the biWidth, biHeight, biXPelsPerMeter, and
biYPelsPerMeter members are of signed type LONG, but only for biHeight negative
values are documented as meaningful. As this code already rejecte negative
values for biHeight, do so also for biXPelsPerMeter and biYPelsPerMeter.
Otherwise, `--convert-to pdf caolan/id:000164,src:000000,op:havoc,rep:8.bmp`
(from the crashtestdata files) would fail with
> vcl/source/filter/jpeg/jpegc.cxx:404:23: runtime error: -12.549 is outside the range of representable values of type 'unsigned short'
> #0 in WriteJPEG(JPEGWriter*, void*, long, long, basegfx::B2DVector const&, bool, long, long, com::sun::star::uno::Reference<com::sun::star::task::XStatusIndicator> const&) at vcl/source/filter/jpeg/jpegc.cxx:404:23
> #1 in JPEGWriter::Write(Graphic const&) at vcl/source/filter/jpeg/JpegWriter.cxx:240:16
> #2 in ExportJPEG(SvStream&, Graphic const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const*, bool*) at vcl/source/filter/jpeg/jpeg.cxx:69:32
> #3 in GraphicFilter::ExportGraphic(Graphic const&, rtl::OUString const&, SvStream&, unsigned short, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const*) at vcl/source/filter/graphicfilter.cxx:2042:22
[...]
because the (maliciously crafted?) bmp file has a negative nYPelsPerMeter that
translates into a negative rPPI.getY().
Change-Id: Id6dddd86d7111ae1a644337288e9f1023cb47670
Reviewed-on: https://gerrit.libreoffice.org/74582
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
Diffstat (limited to 'vcl')
| -rw-r--r-- | vcl/source/gdi/dibtools.cxx | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx index 57de6fb08ab0..c8f64318f0fd 100644 --- a/vcl/source/gdi/dibtools.cxx +++ b/vcl/source/gdi/dibtools.cxx @@ -267,7 +267,7 @@ bool ImplReadDIBInfoHeader(SvStream& rIStm, DIBV5Header& rHeader, bool& bTopDown bTopDown = false; } - if ( rHeader.nWidth < 0 ) + if ( rHeader.nWidth < 0 || rHeader.nXPelsPerMeter < 0 || rHeader.nYPelsPerMeter < 0 ) { rIStm.SetError( SVSTREAM_FILEFORMAT_ERROR ); } |