From bb11e1283e3d49ec1bfe14c4271edbd49af3e3c1 Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <sbergman@redhat.com>
Date: Tue, 21 Nov 2017 08:58:04 +0100
Subject: [PATCH] ASan heap-buffer-overflow

e.g. during CppunitTest_sd_misc_tests (see
<https://ci.libreoffice.org/job/lo_ubsan/735/console>) after
66dbd4da3afcadb1393daf9be9cecff71b86509a "tdf#113918: Workaround: Load 1bpp
indexed PNG as 8bpp indexed Bitmap".  Looks like PNGReaderImpl::ImplDrawScanline
also needs to special-case mnPngDepth == 1 in the mbTransparent case (and, TODO,
also in the mbAlphaChannel case)?

Change-Id: Ie6a0230ec606f7cc5aaf174b9c0075a3b4cb5b1d
---
 vcl/source/gdi/pngread.cxx | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index bc218f8d9964..7a1f8ef46136 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -1328,6 +1328,22 @@ void PNGReaderImpl::ImplDrawScanline( sal_uInt32 nXStart, sal_uInt32 nXAdd )
                         for ( long nX = nXStart; nX < maOrigSize.Width(); nX += nXAdd, pTmp++ )
                             ImplSetAlphaPixel( nY, nX, *pTmp, mpTransTab[ *pTmp ] );
                     }
+                    else if (mnPngDepth == 1 )
+                    {
+                        for ( long nX = nXStart, nShift = 0; nX < maOrigSize.Width(); nX += nXAdd )
+                        {
+                            nShift = (nShift - 1) & 7;
+
+                            sal_uInt8 nCol;
+                            if ( nShift == 0 )
+                                nCol = *(pTmp++);
+                            else
+                                nCol = static_cast<sal_uInt8>( *pTmp >> nShift );
+                            nCol &= 1;
+
+                            ImplSetAlphaPixel( nY, nX, nCol, mpTransTab[ nCol ] );
+                        }
+                    }
                     else
                     {
                         for ( long nX = nXStart; nX < maOrigSize.Width(); nX += nXAdd, pTmp += 2 )