Issue 90913 - Invalid read&write in png import
Summary: Invalid read&write in png import
Status: CLOSED FIXED
Alias: None
Product: gsl
Classification: Code
Component: code (show other issues)
Version: current
Hardware: All All
: P3 Trivial (vote)
Target Milestone: OOo 3.0
Assignee: wolframgarten
QA Contact: issues@gsl
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-20 09:53 UTC by thb
Modified: 2008-07-07 11:58 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Proposed fix (1.92 KB, patch)
2008-06-20 09:53 UTC, thb 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description thb 2008-06-20 09:53:09 UTC 
See bug https://bugzilla.novell.com/show_bug.cgi?id=397128 for details.
To-be-attached patch makes sure that no reads/writes happen beyond the scanline
buffer limits.
Comment 1 thb 2008-06-20 09:53:54 UTC 
Created attachment 54619 [details]
Proposed fix
Comment 2 sven.jacobi 2008-06-20 10:44:35 UTC 
the patch looks good
Comment 3 hdu@apache.org 2008-06-20 11:25:21 UTC 
Why is the PNGReaderImpl::mnScansize <= 0??? I'd prefer that this gets fixed or if there is a valid reason 
for such an insane scansize then PNG reading should be aborted before the inner loops:

@@ -1037,6 +1040,9 @@ bool PNGReaderImpl::ImplPreparePass()
  void PNGReaderImpl::ImplApplyFilter()
 {
+       if( mnScansize <= 0 )
+               return;
Comment 4 sven.jacobi 2008-06-20 12:43:03 UTC 
patch has been applied to cws[impress145]
Comment 5 sven.jacobi 2008-06-25 12:07:44 UTC 
sj->wg: This issue is ready to be verified, just load the bugdoc from the above
mentioned link.
Comment 6 wolframgarten 2008-06-27 09:41:59 UTC 
Verified in CWS.
Comment 7 wolframgarten 2008-07-07 11:58:09 UTC 
Tested in DEV300_m23.