vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf |binary vcl/source/filter/wmf/enhwmf.cxx | 7 ++++--- 2 files changed, 4 insertions(+), 3 deletions(-)
New commits: commit dfba79d2c2e332fca82ac5a236ee74b90892c62f Author: Caolán McNamara <caol...@redhat.com> Date: Wed Aug 12 16:30:21 2015 +0100 another avoid endless loop with busted wmf Change-Id: Ie4068fdc1e54e0ad3e55354938a4c5e1459e7fe0 (cherry picked from commit 7ffe6aebb44ed3f7b5fd1ffe3ccfccf0f61984b3) Reviewed-on: https://gerrit.libreoffice.org/17683 Reviewed-by: David Tardon <dtar...@redhat.com> Tested-by: David Tardon <dtar...@redhat.com> diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf new file mode 100644 index 0000000..f8f1538 Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf differ diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx index 63e4104..8e19bc2 100644 --- a/vcl/source/filter/wmf/enhwmf.cxx +++ b/vcl/source/filter/wmf/enhwmf.cxx @@ -637,14 +637,15 @@ bool EnhWMFReader::ReadEnhWMF() break; } - nNextPos = pWMF->Tell() + ( nRecSize - 8 ); - - if ( !pWMF->good() || nNextPos > nEndPos ) + const sal_uInt32 nMaxPossibleRecSize = nEndPos - pWMF->Tell() + 8; + if (nRecSize > nMaxPossibleRecSize) { bStatus = false; break; } + nNextPos = pWMF->Tell() + ( nRecSize - 8 ); + if( !aBmpSaveList.empty() && ( nRecType != EMR_STRETCHBLT ) && ( nRecType != EMR_STRETCHDIBITS )
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits