vcl/source/filter/svm/SvmReader.cxx | 15 +++++++++++++++
1 file changed, 15 insertions(+)
New commits:
commit cda53485ec0f2c666c86c0ac99e7af4b0f2b352f
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Apr 25 21:11:40 2022 +0100
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Tue Apr 26 11:49:19 2022 +0200
ofz#46906 Integer-overflow
Change-Id: Ic4c6b34b8fb2ddfbb606871f48e2b504fd24336d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133421
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/vcl/source/filter/svm/SvmReader.cxx
b/vcl/source/filter/svm/SvmReader.cxx
index fe05c3439719..bd69e7ece142 100644
--- a/vcl/source/filter/svm/SvmReader.cxx
+++ b/vcl/source/filter/svm/SvmReader.cxx
@@ -22,6 +22,7 @@
#include <tools/stream.hxx>
#include <tools/vcompat.hxx>
+#include <unotools/configmgr.hxx>
#include <vcl/filter/SvmReader.hxx>
#include <vcl/TypeSerializer.hxx>
#include <vcl/dibtools.hxx>
@@ -705,7 +706,21 @@ rtl::Reference<MetaAction>
SvmReader::TextArrayHandler(const ImplMetaReadData* p
}
if (!aArray.empty())
+ {
+ static const bool bFuzzing = utl::ConfigManager::IsFuzzing();
+ if (bFuzzing)
+ {
+ for (size_t i = 0, nLen = aArray.size(); i < nLen; ++i)
+ {
+ if (aArray[i] < -4096 || aArray[i] > 4096)
+ {
+ SAL_WARN("vcl.gdi", "suspicious dx of: " << aArray[i]);
+ aArray[i] = 0;
+ }
+ }
+ }
pAction->SetDXArray(std::move(aArray));
+ }
return pAction;
}
