package/source/zipapi/XUnbufferedStream.cxx | 9 +++++++-- vcl/source/outdev/textline.cxx | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-)
New commits: commit df6bf128ae89d9b4a85fc8300ff7c5e0769e8055 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Thu Mar 30 21:07:40 2023 +0100 Commit: Caolán McNamara <caol...@redhat.com> CommitDate: Thu Mar 30 22:02:16 2023 +0000 ofz#57493 Timeout Change-Id: I7d4776d77385dc46f496b873c75e2be25840f86b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/149774 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> diff --git a/vcl/source/outdev/textline.cxx b/vcl/source/outdev/textline.cxx index 4481ca8011c3..77d77a9349fb 100644 --- a/vcl/source/outdev/textline.cxx +++ b/vcl/source/outdev/textline.cxx @@ -277,7 +277,7 @@ void OutputDevice::ImplDrawWaveTextLine( tools::Long nBaseX, tools::Long nBaseY, bool bIsAbove ) { static bool bFuzzing = utl::ConfigManager::IsFuzzing(); - if (bFuzzing && nWidth > 100000) + if (bFuzzing && nWidth > 20000) { SAL_WARN("vcl.gdi", "drawLine, skipping suspicious WaveTextLine of length: " << nWidth << " for fuzzing performance"); commit 397e2d5118dcc5ebd8dedfe731de02fb4277960f Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Thu Mar 30 21:03:01 2023 +0100 Commit: Caolán McNamara <caol...@redhat.com> CommitDate: Thu Mar 30 22:02:08 2023 +0000 ofz#57529 Integer-overflow Change-Id: I93775299aa340e2e645a04be5d0bc36a9caea103 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/149773 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> diff --git a/package/source/zipapi/XUnbufferedStream.cxx b/package/source/zipapi/XUnbufferedStream.cxx index b0a18cc0a683..e3c31d5fca1c 100644 --- a/package/source/zipapi/XUnbufferedStream.cxx +++ b/package/source/zipapi/XUnbufferedStream.cxx @@ -28,6 +28,7 @@ #include <algorithm> #include <string.h> +#include <o3tl/safeint.hxx> #include <osl/diagnose.h> #include <osl/mutex.hxx> #include <utility> @@ -65,20 +66,24 @@ XUnbufferedStream::XUnbufferedStream( , mbCheckCRC(!bRecoveryMode) { mnZipCurrent = maEntry.nOffset; + sal_Int64 nSize; if ( mbRawStream ) { mnZipSize = maEntry.nMethod == DEFLATED ? maEntry.nCompressedSize : maEntry.nSize; - mnZipEnd = maEntry.nOffset + mnZipSize; + nSize = mnZipSize; } else { mnZipSize = maEntry.nSize; - mnZipEnd = maEntry.nMethod == DEFLATED ? maEntry.nOffset + maEntry.nCompressedSize : maEntry.nOffset + maEntry.nSize; + nSize = maEntry.nMethod == DEFLATED ? maEntry.nCompressedSize : maEntry.nSize; } if (mnZipSize < 0) throw ZipIOException("The stream seems to be broken!"); + if (o3tl::checked_add(maEntry.nOffset, nSize, mnZipEnd)) + throw ZipIOException("Integer-overflow"); + bool bHaveEncryptData = rData.is() && rData->m_aInitVector.hasElements() && ((rData->m_aSalt.hasElements() && rData->m_nIterationCount != 0) ||