vcl/source/gdi/lineinfo.cxx | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-)
New commits: commit 3f25abc0cd2d2f6da828b030a191b6787a682a51 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Wed Mar 23 10:35:02 2022 +0000 Commit: Caolán McNamara <caol...@redhat.com> CommitDate: Wed Mar 23 13:36:00 2022 +0100 ofz#45583 Integer-overflow don't allow massive doubles to be loaded Change-Id: Ib7fddd40728a05358adddddf6b1ddc417b36872a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131968 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> diff --git a/vcl/source/gdi/lineinfo.cxx b/vcl/source/gdi/lineinfo.cxx index 85e7c041943e..1267623c0f19 100644 --- a/vcl/source/gdi/lineinfo.cxx +++ b/vcl/source/gdi/lineinfo.cxx @@ -17,6 +17,7 @@ * the License at http://www.apache.org/licenses/LICENSE-2.0 . */ +#include <sal/log.hxx> #include <tools/stream.hxx> #include <tools/vcompat.hxx> #include <vcl/lineinfo.hxx> @@ -126,6 +127,18 @@ bool LineInfo::IsDefault() const && ( css::drawing::LineCap_BUTT == mpImplLineInfo->meLineCap)); } +static void ReadLimitedDouble(SvStream& rIStm, double &fDest) +{ + double fTmp(0.0); + rIStm.ReadDouble(fTmp); + if (fTmp < std::numeric_limits<sal_Int32>::min() || fTmp > std::numeric_limits<sal_Int32>::max()) + { + SAL_WARN("vcl", "Parsing error: double too large: " << fTmp); + return; + } + fDest = fTmp; +} + SvStream& ReadLineInfo( SvStream& rIStm, LineInfo& rLineInfo ) { VersionCompatRead aCompat( rIStm ); @@ -165,10 +178,10 @@ SvStream& ReadLineInfo( SvStream& rIStm, LineInfo& rLineInfo ) if( aCompat.GetVersion() >= 5 ) { // version 5 - rIStm.ReadDouble( rLineInfo.mpImplLineInfo->mnWidth ); - rIStm.ReadDouble( rLineInfo.mpImplLineInfo->mnDashLen ); - rIStm.ReadDouble( rLineInfo.mpImplLineInfo->mnDotLen ); - rIStm.ReadDouble( rLineInfo.mpImplLineInfo->mnDistance ); + ReadLimitedDouble(rIStm, rLineInfo.mpImplLineInfo->mnWidth); + ReadLimitedDouble(rIStm, rLineInfo.mpImplLineInfo->mnDashLen); + ReadLimitedDouble(rIStm, rLineInfo.mpImplLineInfo->mnDotLen); + ReadLimitedDouble(rIStm, rLineInfo.mpImplLineInfo->mnDistance); } return rIStm;