From ea8a1bda453ed63d9b26b01f29b0701828dde77c Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 16 Mar 2017 16:35:41 +0000
Subject: ofz#882: test available len against max possible compression

Change-Id: I19867b74d860f379eae17916cc7f6415e6d20074
---
 vcl/source/gdi/pngread.cxx | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'vcl')

diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index 6cf9828f682b..09bbc66b695b 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -596,6 +596,16 @@ bool PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
     if ( nScansize64 > SAL_MAX_UINT32 )
         return false;
 
+    // assume max theoretical compression of 1:1032
+    sal_uInt64 nMinSizeRequired = (nScansize64 * maOrigSize.Height()) / 1032;
+    if (nMinSizeRequired > mnStreamSize)
+    {
+        SAL_WARN("vcl.gdi", "overlarge png dimensions: " <<
+                 maOrigSize.Width() << " x " << maOrigSize.Height() << " depth: " << (int)mnPngDepth <<
+                 " couldn't be supplied by file length " << mnStreamSize << " at least " << nMinSizeRequired << " needed ");
+        return false;
+    }
+
     mnScansize = static_cast< sal_uInt32 >( nScansize64 );
 
     // calculate target size from original size and the preview hint
-- 
cgit