diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-03-02 10:30:52 +0000 |
|---|---|---|
| committer | Ashod Nakashian <ashod.nakashian@collabora.co.uk> | 2017-12-05 08:17:27 -0500 |
| commit | aa95647f43a4760b76f5e6e62d0b6c1437e97ba1 (patch) | |
| tree | 4dd1edff517c90fcd58c9055a2c54e6ce877dd80 /vcl | |
| parent | 1c5dfa9bd3c24fdeec92e8334461a70d07202f0f (diff) | |
reject bmps with unknown compression schemes
and RLE8/RLE4 compression with wrong bitmap depth
Change-Id: I7e580cb119e90262a88c57b86f562eaba81c4944
(cherry picked from commit 82070481f34091718ee0ca0dd97826c7e3d7d79e)
(cherry picked from commit abf93c45eed3b17b8831e4d0c0afccf6c839c637)
Diffstat (limited to 'vcl')
| -rw-r--r-- | vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf (renamed from vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf) | bin | 4192 -> 4192 bytes | |||
| -rw-r--r-- | vcl/source/gdi/dibtools.cxx | 28 |
2 files changed, 22 insertions, 6 deletions
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf Binary files differindex 1512a2256bc2..1512a2256bc2 100644 --- a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf +++ b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx index 8dd710e5dab1..7218e8fdde14 100644 --- a/vcl/source/gdi/dibtools.cxx +++ b/vcl/source/gdi/dibtools.cxx @@ -867,13 +867,29 @@ bool ImplReadDIBBody( SvStream& rIStm, Bitmap& rBmp, AlphaMask* pBmpAlpha, sal_u return false; const sal_uInt64 nAlignedWidth(AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine))); - // (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged - if (aHeader.nCompression == ZCOMPRESS || aHeader.nCompression == COMPRESS_NONE) + switch (aHeader.nCompression) { - sal_uInt64 nMaxWidth = pIStm->remainingSize(); - if (aHeader.nHeight != 0) - nMaxWidth /= aHeader.nHeight; - if (nMaxWidth < nAlignedWidth) + case RLE_8: + if (aHeader.nBitCount != 8) + return false; + break; + case RLE_4: + if (aHeader.nBitCount != 4) + return false; + case BITFIELDS: + break; + case ZCOMPRESS: + case COMPRESS_NONE: + { + // (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged + sal_uInt64 nMaxWidth = pIStm->remainingSize(); + if (aHeader.nHeight != 0) + nMaxWidth /= aHeader.nHeight; + if (nMaxWidth < nAlignedWidth) + return false; + break; + } + default: return false; } |