From 8b20ac021d56ed60d09614e82e12538be290264a Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Fri, 1 Feb 2019 20:38:42 +0000 Subject: ofz#12828 svm Timeout MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: I12f493a90177838ea4f29c2b4411846df19241a4 Reviewed-on: https://gerrit.libreoffice.org/67260 Tested-by: Jenkins Reviewed-by: Caolán McNamara Tested-by: Caolán McNamara --- vcl/source/gdi/dibtools.cxx | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'vcl') diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx index fd7bb4306076..7070b6783165 100644 --- a/vcl/source/gdi/dibtools.cxx +++ b/vcl/source/gdi/dibtools.cxx @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -544,6 +545,12 @@ bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& r rIStm.ReadUInt32( nBMask ); } + const long nWidth(rHeader.nWidth); + const long nHeight(rHeader.nHeight); + long nResult = 0; + if (utl::ConfigManager::IsFuzzing() && (o3tl::checked_multiply(nWidth, nHeight, nResult) || nResult > 4000000)) + return false; + if (bRLE) { if(!rHeader.nSizeImage) @@ -561,8 +568,6 @@ bool ImplReadDIBBits(SvStream& rIStm, DIBV5Header& rHeader, BitmapWriteAccess& r } else { - const long nWidth(rHeader.nWidth); - const long nHeight(rHeader.nHeight); if (nAlignedWidth > rIStm.remainingSize()) { // ofz#11188 avoid timeout -- cgit