[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - vcl/qa vcl/source

Fri, 28 Aug 2015 03:49:08 -0700 

 vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-3.wmf |binary
 vcl/source/filter/wmf/enhwmf.cxx                      |   19 +++++++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

New commits:
commit e28af9d5cc430244631aeceed290ffe7484f6a1d
Author: Caolán McNamara <caol...@redhat.com>
Date:   Thu Aug 27 20:20:01 2015 +0100

    don't loop on overly-short nEndPos
    
    Change-Id: I60d3388ece28a69c31a85b9e3b495cbe8a03e7dc
    (cherry picked from commit 42732d255423700461f4abadfed77d89efa9cdd0)
    Reviewed-on: https://gerrit.libreoffice.org/18097
    Reviewed-by: David Tardon <dtar...@redhat.com>
    Tested-by: David Tardon <dtar...@redhat.com>

diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-3.wmf 
b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-3.wmf
new file mode 100644
index 0000000..80ad795
Binary files /dev/null and 
b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-3.wmf differ
diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx
index 7f7bf81..87d492d6 100644
--- a/vcl/source/filter/wmf/enhwmf.cxx
+++ b/vcl/source/filter/wmf/enhwmf.cxx
@@ -617,7 +617,7 @@ void EnhWMFReader::ReadAndDrawPolyPolygon()
 bool EnhWMFReader::ReadEnhWMF()
 {
     sal_uInt32  nStretchBltMode = 0;
-    sal_uInt32  nRecType(0), nRecSize(0), nNextPos(0),
+    sal_uInt32  nNextPos(0),
                 nW(0), nH(0), nColor(0), nIndex(0),
                 nDat32(0), nNom1(0), nDen1(0), nNom2(0), nDen2(0);
     sal_Int32   nX32(0), nY32(0), nx32(0), ny32(0);
@@ -629,7 +629,8 @@ bool EnhWMFReader::ReadEnhWMF()
 
     while( bStatus && nRecordCount-- && pWMF->good())
     {
-        pWMF->ReadUInt32( nRecType ).ReadUInt32( nRecSize );
+        sal_uInt32  nRecType(0), nRecSize(0);
+        pWMF->ReadUInt32(nRecType).ReadUInt32(nRecSize);
 
         if ( !pWMF->good() || ( nRecSize < 8 ) || ( nRecSize & 3 ) )     // 
Parameters are always divisible by 4
         {
@@ -637,14 +638,22 @@ bool EnhWMFReader::ReadEnhWMF()
             break;
         }
 
-        const sal_uInt32 nMaxPossibleRecSize = nEndPos - pWMF->Tell() + 8;
+        auto nCurPos = pWMF->Tell();
+
+        if (nEndPos < nCurPos - 8)
+        {
+            bStatus = false;
+            break;
+        }
+
+        const sal_uInt32 nMaxPossibleRecSize = nEndPos - (nCurPos - 8);
         if (nRecSize > nMaxPossibleRecSize)
         {
             bStatus = false;
             break;
         }
 
-        nNextPos = pWMF->Tell() + ( nRecSize - 8 );
+        nNextPos = nCurPos + (nRecSize - 8);
 
         if(  !aBmpSaveList.empty()
           && ( nRecType != EMR_STRETCHBLT )
@@ -1423,7 +1432,7 @@ bool EnhWMFReader::ReadEnhWMF()
                 case EMR_EXTTEXTOUTW :
                 {
                     sal_Int32   nLeft, nTop, nRight, nBottom, ptlReferenceX, 
ptlReferenceY, nGfxMode, nXScale, nYScale;
-                    sal_uInt32  nCurPos, nOffString, nOptions, offDx;
+                    sal_uInt32  nOffString, nOptions, offDx;
                     sal_Int32   nLen;
                     std::vector<long> aDX;
 

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to