ofz#59817 Heap-buffer-overflow READ 8

Change-Id: I442d103c7103c0bd88dd7fdefd44c3274a9c80fb Reviewed-on: https://gerrit.libreoffice.org/c/core/+/153038 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
author: Caolán McNamara <caolan.mcnamara@collabora.com> 2023-06-14 09:01:01 +0100
committer: Caolán McNamara <caolan.mcnamara@collabora.com> 2023-06-14 11:12:40 +0200
commit: 4d4920899c10cf5d52dd62bd5b84d8e863fde2ea (patch)
tree: ce0924f9a2cf949ca4426bd77904ea8e168f781a /vcl
parent: e0ef3fed69864530da49cecb09fcc2fcc9acfeaa (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/vcl/source/filter/png/PngImageReader.cxx b/vcl/source/filter/png/PngImageReader.cxx
index ec4e2d421e3c..1cb72bdbe6b5 100644
--- a/vcl/source/filter/png/PngImageReader.cxx
+++ b/vcl/source/filter/png/PngImageReader.cxx
@@ -129,6 +129,8 @@ int handle_unknown_chunk(png_structp png, png_unknown_chunkp chunk)
     APNGInfo* aAPNGInfo = static_cast<APNGInfo*>(png_get_user_chunk_ptr(png));
     if (sName == "acTL")
     {
+        if (chunk->size < sizeof(acTLChunk))
+            return -1;
         aAPNGInfo->maACTLChunk = *reinterpret_cast<acTLChunk*>(chunk->data);
         aAPNGInfo->maACTLChunk.num_frames = OSL_SWAPDWORD(aAPNGInfo->maACTLChunk.num_frames);
         aAPNGInfo->maACTLChunk.num_plays = OSL_SWAPDWORD(aAPNGInfo->maACTLChunk.num_plays);
author	Caolán McNamara <caolan.mcnamara@collabora.com>	2023-06-14 09:01:01 +0100
committer	Caolán McNamara <caolan.mcnamara@collabora.com>	2023-06-14 11:12:40 +0200
commit	4d4920899c10cf5d52dd62bd5b84d8e863fde2ea (patch)
tree	ce0924f9a2cf949ca4426bd77904ea8e168f781a /vcl
parent	e0ef3fed69864530da49cecb09fcc2fcc9acfeaa (diff)