Skip to content
Permalink
Browse files

Resolves: ofz#313 cbBmiSrc > getDIBV5HeaderSize

Change-Id: I67fb67dc0a4cb609b8f1391c1eb6dd395755a933
  • Loading branch information...
Caolán McNamara
Caolán McNamara committed Dec 22, 2016
1 parent 88dad8f commit 7485fc2a1484f31631f62f97e5c64c0ae74c6416
Showing with 13 additions and 4 deletions.
  1. +13 −4 vcl/source/filter/wmf/enhwmf.cxx
@@ -1252,13 +1252,22 @@ bool EnhWMFReader::ReadEnhWMF()
else
{
const sal_uInt32 nSourceSize = cbBmiSrc + cbBitsSrc + 14;
if ( nSourceSize <= ( nEndPos - nStartPos ) )
bool bSafeRead = nSourceSize <= (nEndPos - nStartPos);
sal_uInt32 nDeltaToDIB5HeaderSize(0);
const bool bReadAlpha(0x01 == aFunc.aAlphaFormat);
if (bSafeRead && bReadAlpha)
{
// we need to read alpha channel data if AlphaFormat of BLENDFUNCTION is
// AC_SRC_ALPHA (==0x01). To read it, create a temp DIB-File which is ready
// for DIB-5 format
const bool bReadAlpha(0x01 == aFunc.aAlphaFormat);
const sal_uInt32 nDeltaToDIB5HeaderSize(bReadAlpha ? getDIBV5HeaderSize() - cbBmiSrc : 0);
const sal_uInt32 nHeaderSize = getDIBV5HeaderSize();
if (cbBmiSrc > nHeaderSize)
bSafeRead = false;
else
nDeltaToDIB5HeaderSize = nHeaderSize - cbBmiSrc;
}
if (bSafeRead)
{
const sal_uInt32 nTargetSize(cbBmiSrc + nDeltaToDIB5HeaderSize + cbBitsSrc + 14);
char* pBuf = new char[ nTargetSize ];
SvMemoryStream aTmp( pBuf, nTargetSize, StreamMode::READ | StreamMode::WRITE );
@@ -1277,7 +1286,7 @@ bool EnhWMFReader::ReadEnhWMF()
pWMF->Seek( nStart + offBmiSrc );
pWMF->ReadBytes(pBuf + 14, cbBmiSrc);

if(bReadAlpha)
if (bReadAlpha)
{
// need to add values for all stuff that DIBV5Header is bigger
// than DIBInfoHeader, all values are correctly initialized to zero,

1 comment on commit 7485fc2

@carnil

This comment has been minimized.

Copy link

commented on 7485fc2 Apr 14, 2017

The issue fixed by this commit has been assigned CVE-2016-10327

Please sign in to comment.
You can’t perform that action at this time.