From aa95647f43a4760b76f5e6e62d0b6c1437e97ba1 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 2 Mar 2017 10:30:52 +0000
Subject: reject bmps with unknown compression schemes

and RLE8/RLE4 compression with wrong bitmap depth

Change-Id: I7e580cb119e90262a88c57b86f562eaba81c4944
(cherry picked from commit 82070481f34091718ee0ca0dd97826c7e3d7d79e)
(cherry picked from commit abf93c45eed3b17b8831e4d0c0afccf6c839c637)
---
 .../data/wmf/fail/CVE-2015-0848-1.wmf              | Bin 0 -> 4192 bytes
 .../data/wmf/pass/CVE-2015-0848-1.wmf              | Bin 4192 -> 0 bytes
 vcl/source/gdi/dibtools.cxx                        |  28 ++++++++++++++++-----
 3 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf
 delete mode 100644 vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf

(limited to 'vcl')

diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf
new file mode 100644
index 000000000000..1512a2256bc2
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf differ
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf
deleted file mode 100644
index 1512a2256bc2..000000000000
Binary files a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf and /dev/null differ
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx
index 8dd710e5dab1..7218e8fdde14 100644
--- a/vcl/source/gdi/dibtools.cxx
+++ b/vcl/source/gdi/dibtools.cxx
@@ -867,13 +867,29 @@ bool ImplReadDIBBody( SvStream& rIStm, Bitmap& rBmp, AlphaMask* pBmpAlpha, sal_u
             return false;
         const sal_uInt64 nAlignedWidth(AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine)));
 
-        // (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged
-        if (aHeader.nCompression == ZCOMPRESS || aHeader.nCompression == COMPRESS_NONE)
+        switch (aHeader.nCompression)
         {
-            sal_uInt64 nMaxWidth = pIStm->remainingSize();
-            if (aHeader.nHeight != 0)
-                nMaxWidth /= aHeader.nHeight;
-            if (nMaxWidth < nAlignedWidth)
+            case RLE_8:
+                if (aHeader.nBitCount != 8)
+                    return false;
+                break;
+            case RLE_4:
+                if (aHeader.nBitCount != 4)
+                    return false;
+            case BITFIELDS:
+                break;
+            case ZCOMPRESS:
+            case COMPRESS_NONE:
+            {
+                // (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged
+                sal_uInt64 nMaxWidth = pIStm->remainingSize();
+                if (aHeader.nHeight != 0)
+                    nMaxWidth /= aHeader.nHeight;
+                if (nMaxWidth < nAlignedWidth)
+                    return false;
+                break;
+            }
+            default:
                 return false;
         }
 
-- 
cgit