Skip to content
Permalink
Browse files Browse the repository at this point in the history
Resolves: ofz#313 cbBmiSrc > getDIBV5HeaderSize
Change-Id: I67fb67dc0a4cb609b8f1391c1eb6dd395755a933
  • Loading branch information
Caolán McNamara committed Dec 22, 2016
1 parent 88dad8f commit 7485fc2
Showing 1 changed file with 13 additions and 4 deletions.
17 changes: 13 additions & 4 deletions vcl/source/filter/wmf/enhwmf.cxx
Expand Up @@ -1252,13 +1252,22 @@ bool EnhWMFReader::ReadEnhWMF()
else
{
const sal_uInt32 nSourceSize = cbBmiSrc + cbBitsSrc + 14;
if ( nSourceSize <= ( nEndPos - nStartPos ) )
bool bSafeRead = nSourceSize <= (nEndPos - nStartPos);
sal_uInt32 nDeltaToDIB5HeaderSize(0);
const bool bReadAlpha(0x01 == aFunc.aAlphaFormat);
if (bSafeRead && bReadAlpha)
{
// we need to read alpha channel data if AlphaFormat of BLENDFUNCTION is
// AC_SRC_ALPHA (==0x01). To read it, create a temp DIB-File which is ready
// for DIB-5 format
const bool bReadAlpha(0x01 == aFunc.aAlphaFormat);
const sal_uInt32 nDeltaToDIB5HeaderSize(bReadAlpha ? getDIBV5HeaderSize() - cbBmiSrc : 0);
const sal_uInt32 nHeaderSize = getDIBV5HeaderSize();
if (cbBmiSrc > nHeaderSize)
bSafeRead = false;
else
nDeltaToDIB5HeaderSize = nHeaderSize - cbBmiSrc;
}
if (bSafeRead)
{
const sal_uInt32 nTargetSize(cbBmiSrc + nDeltaToDIB5HeaderSize + cbBitsSrc + 14);
char* pBuf = new char[ nTargetSize ];
SvMemoryStream aTmp( pBuf, nTargetSize, StreamMode::READ | StreamMode::WRITE );
Expand All @@ -1277,7 +1286,7 @@ bool EnhWMFReader::ReadEnhWMF()
pWMF->Seek( nStart + offBmiSrc );
pWMF->ReadBytes(pBuf + 14, cbBmiSrc);

if(bReadAlpha)
if (bReadAlpha)
{
// need to add values for all stuff that DIBV5Header is bigger
// than DIBInfoHeader, all values are correctly initialized to zero,
Expand Down

1 comment on commit 7485fc2

@carnil
Copy link

@carnil carnil commented on 7485fc2 Apr 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue fixed by this commit has been assigned CVE-2016-10327

Please sign in to comment.