Apache OpenOffice (AOO) Bugzilla – Issue 82970
Do not crash when loading too big pictures
Last modified: 2009-07-20 14:54:28 UTC
I'll attach two malformed pictures with wrong dimensions. OOo tried to allocate too much memory and crashed. I'll also attach a proposed fix. Here are some more details about it: + svtools/source/filter.vcl/filter/filter.cxx + the changes in this file are enough to fix the crash with the tiff file. + OOo read malformed informations and tried to allocate too much memory + goodies/source/filter.vcl/itiff/itiff.cxx + goodies/source/filter.vcl/itiff/makefile.mk + adds more try/catch stuff to the itiff reader + note the second hunk for itiff.cxx; it fixes evident mistake caused by the last change; the following code did not make sense: if ( !nNumStripByteCounts ) nNumStripByteCounts = 0; + vcl/unx/source/gdi/salbmp.cxx + vcl/unx/source/gdi/makefile.mk + fixes the problem when it reads wrong dimmensions and tries to alloc too big Bitmap in TIFFReader::ReadTIFF: aBitmap = Bitmap( Size( nImageWidth, nImageLength ), nDstBitsPerPixel );
Created attachment 49150 [details] Test tiff picture.
Created attachment 49151 [details] Test PNG file
Created attachment 49152 [details] Proposed fix.
It would be great to get it in for OOo-2.3.1. The fix is in CWS pmladek07 now. Kendy, could you please do the QA?
@Sven: could you review the changes, please?
I'd rather keep the fix from salbmp.cxx out - because there really is no working error reporting in place for VCL objects. So, I guess it's better to have an exception fly out of vcl here, rather than hiding the error in an empty bitmap (which then leads to all kinds of bugs at other places - the least of it saving empty bitmaps to files). Or, if you need it: implement proper error reporting for the SalBitmap.
.
I agree with thb, the vcl changes should be removed, but there is nothing against the other changes in goodies and svtools, they are ok.
Thanks for the valuable feedback. I agree. I have removed the vcl part from the CWS. It should be fine now.
As discussed with pl on irc, I have opened the new issue #82997 for the vcl part. It would be needed for a proper handling of the PNG file. I have also opened the issue #82995 for the strange behavior of the new operator.
After improvements based on the above comments that I've reviewed in the CWS setting to VERIFIED.
Setting milestone.
This issue is closed automatically and wasn't rechecked in a current version of OOo. The fixed issue should be integrated in OOo since more than half a year. If you think this issue isn't fixed in a current version (OOo 3.1), please reopen it and change the field 'Target Milestone' accordingly. If you want to download a current version of OOo => http://download.openoffice.org/index.html If you want to know more about the handling of fixed/verified issues => http://wiki.services.openoffice.org/wiki/Handle_fixed_verified_issues