[Libreoffice-commits] core.git: vcl/source

[Julien Nabet (via logerrit)]

 vcl/source/filter/png/PngImageReader.cxx |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

New commits:
commit a2eb4bcf2363c13af81e4c53710c2703158130bf
Author:     Julien Nabet <serval2...@yahoo.fr>
AuthorDate: Tue Jun 13 21:43:07 2023 +0200
Commit:     Julien Nabet <serval2...@yahoo.fr>
CommitDate: Wed Jun 14 08:03:01 2023 +0200

    Fix heap-buffer-overflow in vcl/PngImageReader
    
    From Jenkins_Linux_Ubsan:
    25488         ==1050==ERROR: AddressSanitizer: heap-buffer-overflow on 
address 0x6030001a44a4 at pc 0x0000004b6b04 bp 0x7ffed00d4630 sp 0x7ffed00d3de0
    25489         WRITE of size 24 at 0x6030001a44a4 thread T0
    25490             #0 0x4b6b03 in __asan_memcpy 
/home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
    25491             #1 0x7f3dab812b94 in SvStream::ReadBytes(void*, unsigned 
long) /tools/source/stream/stream.cxx:1134:17
    25492             #2 0x7f3da1fc7a8a in (anonymous 
namespace)::getImportantChunks(SvStream&, SvStream&, unsigned int, unsigned 
int) /vcl/source/filter/png/PngImageReader.cxx:270:27
    25493             #3 0x7f3da1fb7364 in (anonymous 
namespace)::reader(SvStream&, Graphic&, GraphicFilterImportFlags, 
vcl::ScopedBitmapAccess<BitmapWriteAccess, Bitmap, 
&(Bitmap::AcquireWriteAccess())>*, vcl::ScopedBitmapAccess<BitmapWriteAccess, 
AlphaMask, &(AlphaMask::AcquireAlphaWriteAccess())>*) 
/vcl/source/filter/png/PngImageReader.cxx:714:13
    25494             #4 0x7f3da1fb9663 in vcl::PngImageReader::read(Graphic&) 
/vcl/source/filter/png/PngImageReader.cxx:830:55
    25495             #5 0x7f3d8299c092 in PngFilterTest::testApng() 
/vcl/qa/cppunit/png/PngFilterTest.cxx:380:32
    ...
    since bf944e33569e4a1d6236a54671b7320cdc6ffaf6
    tdf#104877 Add basic APNG format support
    
    Change-Id: Ib46637a8422e1fbb1ab84ee69bf6f95299dd84a8
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/153003
    Tested-by: Julien Nabet <serval2...@yahoo.fr>
    Reviewed-by: Julien Nabet <serval2...@yahoo.fr>

diff --git a/vcl/source/filter/png/PngImageReader.cxx 
b/vcl/source/filter/png/PngImageReader.cxx
index d560736e686a..ec4e2d421e3c 100644
--- a/vcl/source/filter/png/PngImageReader.cxx
+++ b/vcl/source/filter/png/PngImageReader.cxx
@@ -266,7 +266,8 @@ void getImportantChunks(SvStream& rInStream, SvStream& 
rOutStream, sal_uInt32 nW
                 // Seek back to start of chunk
                 rInStream.SeekRel(-PNG_TYPE_SIZE - PNG_SIZE_SIZE);
                 // Copy chunk to rOutStream
-                std::vector<uint8_t> aData(nChunkSize + PNG_TYPE_SIZE + 
PNG_SIZE_SIZE);
+                std::vector<uint8_t> aData(nChunkSize + PNG_TYPE_SIZE + 
PNG_SIZE_SIZE
+                                           + PNG_CRC_SIZE);
                 rInStream.ReadBytes(aData.data(),
                                     PNG_TYPE_SIZE + PNG_SIZE_SIZE + nChunkSize 
+ PNG_CRC_SIZE);
                 rOutStream.WriteBytes(aData.data(),