Apache OpenOffice (AOO) Bugzilla – Issue 90913
Invalid read&write in png import
Last modified: 2008-07-07 11:58:09 UTC
See bug https://bugzilla.novell.com/show_bug.cgi?id=397128 for details. To-be-attached patch makes sure that no reads/writes happen beyond the scanline buffer limits.
Created attachment 54619 [details] Proposed fix
the patch looks good
Why is the PNGReaderImpl::mnScansize <= 0??? I'd prefer that this gets fixed or if there is a valid reason for such an insane scansize then PNG reading should be aborted before the inner loops: @@ -1037,6 +1040,9 @@ bool PNGReaderImpl::ImplPreparePass() void PNGReaderImpl::ImplApplyFilter() { + if( mnScansize <= 0 ) + return;
patch has been applied to cws[impress145]
sj->wg: This issue is ready to be verified, just load the bugdoc from the above mentioned link.
Verified in CWS.
Tested in DEV300_m23.