vcl/source/gdi/svmconverter.cxx | 65 ++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 25 deletions(-)
New commits: commit ff8f6629287d0d1bdbcf4f8ed16cb8d077d08c7a Author: Caolán McNamara <caol...@redhat.com> Date: Thu Jan 19 16:56:34 2017 +0000 Resolves: ofz#424 guard against broken dxary length Change-Id: Ia2569e963edd75cd6c27399d33e73bafe8b3f073 Reviewed-on: https://gerrit.libreoffice.org/33319 Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx index c1161a4..efcc250 100644 --- a/vcl/source/gdi/svmconverter.cxx +++ b/vcl/source/gdi/svmconverter.cxx @@ -939,6 +939,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) OUString aStr(OStringToOUString(aByteStr, eActualCharSet)); std::unique_ptr<long[]> pDXAry; + sal_Int32 nDXAryLen = 0; if (nAryLen > 0) { const size_t nMinRecordSize = sizeof(sal_Int32); @@ -952,36 +953,50 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) sal_Int32 nStrLen( aStr.getLength() ); - pDXAry.reset(new long[ std::max( nAryLen, nStrLen ) ]); + nDXAryLen = std::max(nAryLen, nStrLen); - for (sal_Int32 j = 0; j < nAryLen; ++j) - rIStm.ReadInt32( nTmp ), pDXAry[ j ] = nTmp; - - // #106172# Add last DX array elem, if missing - if( nAryLen != nStrLen ) + if (nDXAryLen < nLen) + { + //MetaTextArrayAction ctor expects pDXAry to be >= nLen if set, so if this can't + //be achieved, don't read it, it's utterly broken. + SAL_WARN("vcl.gdi", "dxary too short, discarding completely"); + rIStm.SeekRel(sizeof(sal_Int32) * nDXAryLen); + nLen = 0; + nIndex = 0; + } + else { - if( nAryLen+1 == nStrLen ) + pDXAry.reset(new long[nDXAryLen]); + + for (sal_Int32 j = 0; j < nAryLen; ++j) + rIStm.ReadInt32( nTmp ), pDXAry[ j ] = nTmp; + + // #106172# Add last DX array elem, if missing + if( nAryLen != nStrLen ) { - std::unique_ptr<long[]> pTmpAry(new long[nStrLen]); - - aFontVDev->GetTextArray( aStr, pTmpAry.get(), nIndex, nLen ); - - // now, the difference between the - // last and the second last DX array - // is the advancement for the last - // glyph. Thus, to complete our meta - // action's DX array, just add that - // difference to last elem and store - // in very last. - if( nStrLen > 1 ) - pDXAry[ nStrLen-1 ] = pDXAry[ nStrLen-2 ] + pTmpAry[ nStrLen-1 ] - pTmpAry[ nStrLen-2 ]; - else - pDXAry[ nStrLen-1 ] = pTmpAry[ nStrLen-1 ]; // len=1: 0th position taken to be 0 - } + if( nAryLen+1 == nStrLen ) + { + std::unique_ptr<long[]> pTmpAry(new long[nStrLen]); + + aFontVDev->GetTextArray( aStr, pTmpAry.get(), nIndex, nLen ); + + // now, the difference between the + // last and the second last DX array + // is the advancement for the last + // glyph. Thus, to complete our meta + // action's DX array, just add that + // difference to last elem and store + // in very last. + if( nStrLen > 1 ) + pDXAry[ nStrLen-3 ] = pDXAry[ nStrLen-2 ] + pTmpAry[ nStrLen-1 ] - pTmpAry[ nStrLen-2 ]; + else + pDXAry[ nStrLen-1 ] = pTmpAry[ nStrLen-1 ]; // len=1: 0th position taken to be 0 + } #ifdef DBG_UTIL - else - OSL_FAIL("More than one DX array element missing on SVM import"); + else + OSL_FAIL("More than one DX array element missing on SVM import"); #endif + } } } if ( nUnicodeCommentActionNumber == i )
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits