filter/source/graphicfilter/ipsd/ipsd.cxx | 15 ++++++++++++--- include/sal/log-areas.dox | 1 + sw/source/filter/ww8/ww8scan.cxx | 2 +- 3 files changed, 14 insertions(+), 4 deletions(-)
New commits: commit b82fc702bae9d6190bda1b4818a47cfa197df6d8 Author: Caolán McNamara <[email protected]> AuthorDate: Tue Dec 22 10:31:35 2020 +0000 Commit: Caolán McNamara <[email protected]> CommitDate: Tue Dec 22 15:07:24 2020 +0100 oss-fuzz: psdfuzzer doesn't pass sanity check Step #5: #6 0x63cce7f in __cxa_throw (/tmp/not-out/psdfuzzer+0x63cce7f) Step #5: #7 0x4f1af9 in SvStream::ReadUInt32(unsigned int&) (/tmp/not-out/psdfuzzer+0x4f1af9) Step #5: #8 0x1d9dfd6 in (anonymous namespace)::PSDReader::ImplReadHeader() (/tmp/not-out/psdfuzzer+0x1d9dfd6) Step #5: #9 0x1d9d1a6 in (anonymous namespace)::PSDReader::ReadPSD(Graphic&) (/tmp/not-out/psdfuzzer+0x1d9d1a6) Step #5: #10 0x1d9cd38 in ipdGraphicImport (/tmp/not-out/psdfuzzer+0x1d9cd38) Change-Id: I407e7a32dd8e2fffb508edf896b9ca4783b94c97 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108157 Tested-by: Caolán McNamara <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> diff --git a/filter/source/graphicfilter/ipsd/ipsd.cxx b/filter/source/graphicfilter/ipsd/ipsd.cxx index 3c219870f1d2..528914a5cba1 100644 --- a/filter/source/graphicfilter/ipsd/ipsd.cxx +++ b/filter/source/graphicfilter/ipsd/ipsd.cxx @@ -325,7 +325,7 @@ namespace if (nIndex >= rvPalette.size()) { auto nSanitizedIndex = nIndex % rvPalette.size(); - SAL_WARN_IF(nIndex != nSanitizedIndex, "filter.tga", "invalid colormap index: " + SAL_WARN_IF(nIndex != nSanitizedIndex, "filter.psd", "invalid colormap index: " << static_cast<unsigned int>(nIndex) << ", colormap len is: " << rvPalette.size()); nIndex = nSanitizedIndex; @@ -764,8 +764,17 @@ extern "C" SAL_DLLPUBLIC_EXPORT bool ipdGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) { PSDReader aPSDReader(rStream); - - return aPSDReader.ReadPSD(rGraphic); + bool bRet; + try + { + bRet = aPSDReader.ReadPSD(rGraphic); + } + catch (const SvStreamEOFException&) + { + SAL_WARN("filter.psd", "EOF"); + bRet = false; + } + return bRet; } diff --git a/include/sal/log-areas.dox b/include/sal/log-areas.dox index 871e57319f6d..e6463117d1b8 100644 --- a/include/sal/log-areas.dox +++ b/include/sal/log-areas.dox @@ -231,6 +231,7 @@ certain functionality. @li @c filter.pcx @li @c filter.pdf @li @c filter.pict +@li @c filter.psd @li @c filter.ras @li @c filter.svg @li @c filter.tga commit 4a03f6acf4a584e8212dce84ef08ca8d55f5a87f Author: Miklos Vajna <[email protected]> AuthorDate: Tue Dec 22 11:11:54 2020 +0100 Commit: Miklos Vajna <[email protected]> CommitDate: Tue Dec 22 14:04:41 2020 +0100 sw: check for remaining stream size in the WW8Fib ctor Commit 8c9a4ff511a3b1d84a7a6d08a1b153c07f164abb (throw exception in SvStream when reading past end of file, 2020-11-16) changed the "read past the end of the stream" behavior to throw, and this broke online.git's unit-password-protected test. Fix the problem by not attempting to read if we know the remaining size is too small, even if the stream is good. Change-Id: I62f1532fc87a14c9f1f5e681e3ad67e4d575e8a5 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108152 Reviewed-by: Miklos Vajna <[email protected]> Tested-by: Jenkins diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index 01041ef4a02c..bee3a698c326 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -6005,7 +6005,7 @@ WW8Fib::WW8Fib(SvStream& rSt, sal_uInt8 nWantedVersion, sal_uInt32 nOffset): // Read cswNew to find out if nFib should be ignored. sal_uInt32 nPos = rSt.Tell(); rSt.SeekRel(m_cfclcb * 8); - if (rSt.good()) + if (rSt.good() && rSt.remainingSize() >= 2) { rSt.ReadUInt16(m_cswNew); } _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
