vcl/qa/cppunit/graphicfilter/data/svm/pass/ofz45269-1.svm |binary vcl/source/filter/svm/SvmReader.cxx | 35 +++++++++----- 2 files changed, 24 insertions(+), 11 deletions(-)
New commits: commit 916aca240195b3e224ea374df4d447201bf852be Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Fri Mar 11 15:33:44 2022 +0000 Commit: Caolán McNamara <caol...@redhat.com> CommitDate: Sat Mar 12 13:23:28 2022 +0100 ofz#45269 Integer-overflow Change-Id: I9fe6c4753da609933c8ce5ef051e49351a25fd56 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131386 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> diff --git a/vcl/qa/cppunit/graphicfilter/data/svm/pass/ofz45269-1.svm b/vcl/qa/cppunit/graphicfilter/data/svm/pass/ofz45269-1.svm new file mode 100644 index 000000000000..4dceee3a9db4 Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/svm/pass/ofz45269-1.svm differ diff --git a/vcl/source/filter/svm/SvmReader.cxx b/vcl/source/filter/svm/SvmReader.cxx index 550e9e59bcfd..fe05c3439719 100644 --- a/vcl/source/filter/svm/SvmReader.cxx +++ b/vcl/source/filter/svm/SvmReader.cxx @@ -826,6 +826,24 @@ rtl::Reference<MetaAction> SvmReader::BmpHandler() return pAction; } +namespace +{ +void sanitizeNegativeSizeDimensions(Size& rSize) +{ + if (rSize.Width() < 0) + { + SAL_WARN("vcl.gdi", "sanitizeNegativeSizeDimensions: negative width"); + rSize.setWidth(0); + } + + if (rSize.Height() < 0) + { + SAL_WARN("vcl.gdi", "sanitizeNegativeSizeDimensions: negative height"); + rSize.setHeight(0); + } +} +} + rtl::Reference<MetaAction> SvmReader::BmpScaleHandler() { rtl::Reference<MetaBmpScaleAction> pAction(new MetaBmpScaleAction); @@ -836,8 +854,10 @@ rtl::Reference<MetaAction> SvmReader::BmpScaleHandler() TypeSerializer aSerializer(mrStream); Point aPoint; aSerializer.readPoint(aPoint); + Size aSz; aSerializer.readSize(aSz); + sanitizeNegativeSizeDimensions(aSz); pAction->SetBitmap(aBmp); pAction->SetPoint(aPoint); @@ -902,17 +922,7 @@ rtl::Reference<MetaAction> SvmReader::BmpExScaleHandler() Size aSize; aSerializer.readSize(aSize); - if (aSize.Width() < 0) - { - SAL_WARN("vcl.gdi", "MetaBmpExScaleAction: negative width"); - aSize.setWidth(0); - } - - if (aSize.Height() < 0) - { - SAL_WARN("vcl.gdi", "MetaBmpExScaleAction: negative height"); - aSize.setHeight(0); - } + sanitizeNegativeSizeDimensions(aSize); pAction->SetBitmapEx(aBmpEx); pAction->SetPoint(aPoint); @@ -1300,8 +1310,11 @@ rtl::Reference<MetaAction> SvmReader::FloatTransparentHandler(ImplMetaReadData* TypeSerializer aSerializer(mrStream); Point aPoint; aSerializer.readPoint(aPoint); + Size aSize; aSerializer.readSize(aSize); + sanitizeNegativeSizeDimensions(aSize); + Gradient aGradient; aSerializer.readGradient(aGradient);