ASan heap-buffer-overflow

e.g. during CppunitTest_sd_misc_tests (see
<https://ci.libreoffice.org/job/lo_ubsan/735/console>) after
66dbd4da3a "tdf#113918: Workaround: Load 1bpp
indexed PNG as 8bpp indexed Bitmap".  Looks like PNGReaderImpl::ImplDrawScanline
also needs to special-case mnPngDepth == 1 in the mbTransparent case (and, TODO,
also in the mbAlphaChannel case)?

Change-Id: Ie6a0230ec606f7cc5aaf174b9c0075a3b4cb5b1d
This commit is contained in:
Stephan Bergmann 2017-11-21 08:58:04 +01:00
parent 11ca1f86f8
commit bb11e1283e

View file

@ -1328,6 +1328,22 @@ void PNGReaderImpl::ImplDrawScanline( sal_uInt32 nXStart, sal_uInt32 nXAdd )
for ( long nX = nXStart; nX < maOrigSize.Width(); nX += nXAdd, pTmp++ )
ImplSetAlphaPixel( nY, nX, *pTmp, mpTransTab[ *pTmp ] );
}
else if (mnPngDepth == 1 )
{
for ( long nX = nXStart, nShift = 0; nX < maOrigSize.Width(); nX += nXAdd )
{
nShift = (nShift - 1) & 7;
sal_uInt8 nCol;
if ( nShift == 0 )
nCol = *(pTmp++);
else
nCol = static_cast<sal_uInt8>( *pTmp >> nShift );
nCol &= 1;
ImplSetAlphaPixel( nY, nX, nCol, mpTransTab[ nCol ] );
}
}
else
{
for ( long nX = nXStart; nX < maOrigSize.Width(); nX += nXAdd, pTmp += 2 )