reject bmps with unknown compression schemes
and RLE8/RLE4 compression with wrong bitmap depth
Change-Id: I7e580cb119e90262a88c57b86f562eaba81c4944
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf
similarity index 100%
rename from vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2015-0848-1.wmf
rename to vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2015-0848-1.wmf
Binary files differ
diff --git a/vcl/source/gdi/dibtools.cxx b/vcl/source/gdi/dibtools.cxx
index 8dd710e..7218e8f 100644
--- a/vcl/source/gdi/dibtools.cxx
+++ b/vcl/source/gdi/dibtools.cxx
@@ -867,13 +867,29 @@
return false;
const sal_uInt64 nAlignedWidth(AlignedWidth4Bytes(static_cast<sal_uLong>(nBitsPerLine)));
// (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged
if (aHeader.nCompression == ZCOMPRESS || aHeader.nCompression == COMPRESS_NONE)
switch (aHeader.nCompression)
{
sal_uInt64 nMaxWidth = pIStm->remainingSize();
if (aHeader.nHeight != 0)
nMaxWidth /= aHeader.nHeight;
if (nMaxWidth < nAlignedWidth)
case RLE_8:
if (aHeader.nBitCount != 8)
return false;
break;
case RLE_4:
if (aHeader.nBitCount != 4)
return false;
case BITFIELDS:
break;
case ZCOMPRESS:
case COMPRESS_NONE:
{
// (partially) check the image dimensions to avoid potential large bitmap allocation if the input is damaged
sal_uInt64 nMaxWidth = pIStm->remainingSize();
if (aHeader.nHeight != 0)
nMaxWidth /= aHeader.nHeight;
if (nMaxWidth < nAlignedWidth)
return false;
break;
}
default:
return false;
}
