jmestwa-coder opened a new pull request, #1082: URL: https://github.com/apache/poi/pull/1082
An EmfPlusPath with the RLE_COMPRESSED flag set expands its per-point type table from (runCount, type) pairs, but the fill starts at pointTypes.length instead of the running offset, so any RLE-compressed path overruns the buffer. Start the run at the current index and clamp its end to the array length so a crafted runCount can't write past pointTypes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
