Skip to content

Commit

Permalink
Make combineScanlineChannels stop before padding bytes
Browse files Browse the repository at this point in the history 
At <https://ci.libreoffice.org/job/lo_ubsan/2467>,
CppunitTest_sd_export_tests-ooxml1 failed with

> ==4831==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000211c54 at pc 0x7fcdcb44093f bp 0x7ffe85792760 sp 0x7ffe85792758
> READ of size 1 at 0x629000211c54 thread T0
>     #0 0x7fcdcb44093e in (anonymous namespace)::combineScanlineChannels(unsigned char*, unsigned char*, unsigned char*, unsigned int) /vcl/source/filter/png/PngImageWriter.cxx:27:22
>     #1 0x7fcdcb43fbaf in vcl::pngWrite(SvStream&, BitmapEx const&, int, bool, bool, std::__debug::vector<vcl::PngChunk, std::allocator<vcl::PngChunk> > const&) /vcl/source/filter/png/PngImageWriter.cxx:231:21
>     #2 0x7fcdcb43ce80 in vcl::PngImageWriter::write(BitmapEx const&) /vcl/source/filter/png/PngImageWriter.cxx:318:12
>     #3 0x7fcdcaf04bc1 in GraphicFilter::ExportGraphic(Graphic const&, std::basic_string_view<char16_t, std::char_traits<char16_t> >, SvStream&, unsigned short, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const*) /vcl/source/filter/graphicfilter.cxx:1801:28
> 0x629000211c54 is located 0 bytes to the right of 19028-byte region [0x62900020d200,0x629000211c54)
> allocated by thread T0 here:
>     #0 0x4fd898 in operator new[](unsigned long) /home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_new_delete.cpp:102
>     #1 0x7fcdcbcbd50b in ImplCreateDIB(Size const&, vcl::PixelFormat, BitmapPalette const&) /vcl/headless/svpbmp.cxx:123:24
>     #2 0x7fcdcbcbb483 in SvpSalBitmap::Create(Size const&, vcl::PixelFormat, BitmapPalette const&) /vcl/headless/svpbmp.cxx:152:13
>     #3 0x7fcdca406c59 in Bitmap::Bitmap(Size const&, vcl::PixelFormat, BitmapPalette const*) /vcl/source/bitmap/bitmap.cxx:136:15

because for the given N24BitTcBgr bitmap of size 89x71 we have
pAccess->GetScanlineSize() = 268 = 89 * 3 + 1, so combineScanlineChannels wanted
to erroneously read an excessive 90th RGB triplet.

Change-Id: Ida117999de075b8906f43bfe4c2b7fa98df80b0f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/137261
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
  • Loading branch information
@stbergmann
stbergmann committed Jul 20, 2022
1 parent 2f3b87d commit eda0c48
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion vcl/source/filter/png/PngImageWriter.cxx
View file
Expand Up @@ -21,7 +21,8 @@ void combineScanlineChannels(Scanline pRGBScanline, Scanline pAlphaScanline, Sca
assert(pRGBScanline && "RGB scanline is null");
assert(pAlphaScanline && "Alpha scanline is null");

for (sal_uInt32 i = 0; i < nSize; i += 3)
auto const width = nSize / 3;
for (sal_uInt32 i = 0; i < width; ++i)
{
*pResult++ = *pRGBScanline++; // R
*pResult++ = *pRGBScanline++; // G
Expand Down

0 comments on commit eda0c48

Please sign in to comment.