ofz#59854 Null-dereference WRITE

Change-Id: Iedbf21248b7d75474ea325905569d192360380f2 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/153155 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
author: Caolán McNamara <caolan.mcnamara@collabora.com> 2023-06-15 21:29:49 +0100
committer: Caolán McNamara <caolan.mcnamara@collabora.com> 2023-06-16 09:43:16 +0200
commit: 20e05507fa2d7d9cec485d14f382920edd6f2528 (patch)
tree: 0d6ded84ed41b116c345702dd488fc0494cb2d42 /vcl
parent: 6faa71b93086dce838a2c80f8935df275955756d (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/vcl/source/filter/png/PngImageReader.cxx b/vcl/source/filter/png/PngImageReader.cxx
index 7e3fdbe44d71..a04344b4afe6 100644
--- a/vcl/source/filter/png/PngImageReader.cxx
+++ b/vcl/source/filter/png/PngImageReader.cxx
@@ -164,8 +164,11 @@ int handle_unknown_chunk(png_structp png, png_unknown_chunkp chunk)
         }
         else if (sName == "fdAT")
         {
-            std::unique_ptr<fdATChunk> aChunk = std::make_unique<fdATChunk>();
             size_t nDataSize = chunk->size;
+            if (nDataSize < 4)
+                return -1;
+
+            std::unique_ptr<fdATChunk> aChunk = std::make_unique<fdATChunk>();
             aChunk->frame_data.resize(nDataSize);
             // Replace sequence number with the IDAT signature
             sal_uInt32 nIDATSwapped = OSL_SWAPDWORD(PNG_IDAT_SIGNATURE);
author	Caolán McNamara <caolan.mcnamara@collabora.com>	2023-06-15 21:29:49 +0100
committer	Caolán McNamara <caolan.mcnamara@collabora.com>	2023-06-16 09:43:16 +0200
commit	20e05507fa2d7d9cec485d14f382920edd6f2528 (patch)
tree	0d6ded84ed41b116c345702dd488fc0494cb2d42 /vcl
parent	6faa71b93086dce838a2c80f8935df275955756d (diff)