emfio/source/reader/mtftools.cxx | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-)
New commits: commit e488385c994993c22d21ac8f1d967770b3145153 Author: Caolán McNamara <[email protected]> AuthorDate: Fri Jan 17 09:32:58 2025 +0000 Commit: Caolán McNamara <[email protected]> CommitDate: Fri Jan 17 11:49:27 2025 +0100 ofz#390253942 Integer-overflow Change-Id: Id53f4812622d87a6f775a495d82d9bd7ea1e2869 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/180381 Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Jenkins diff --git a/emfio/source/reader/mtftools.cxx b/emfio/source/reader/mtftools.cxx index 6d920a2ce5a4..a6409d0257b4 100644 --- a/emfio/source/reader/mtftools.cxx +++ b/emfio/source/reader/mtftools.cxx @@ -1634,6 +1634,25 @@ namespace emfio } } + static bool AllowDim(tools::Long nDim) + { + static bool bFuzzing = comphelper::IsFuzzing(); + if (bFuzzing) + { + if (nDim > 0x20000000 || nDim < -0x20000000) + { + SAL_WARN("vcl", "skipping huge dimension: " << nDim); + return false; + } + } + return true; + } + + static bool AllowPoint(const Point& rPoint) + { + return AllowDim(rPoint.X()) && AllowDim(rPoint.Y()); + } + void MtfTools::DrawPolyBezier( tools::Polygon rPolygon, bool bTo, bool bRecordPath ) { sal_uInt16 nPoints = rPolygon.GetSize(); @@ -1861,8 +1880,11 @@ namespace emfio for (sal_Int32 i = 0; i < rText.getLength(); ++i) { Point aCharDisplacement( i ? (*pDXArry)[i-1] : 0, i ? pDYArry[i-1] : 0 ); - Point().RotateAround(aCharDisplacement, maFont.GetOrientation()); - mpGDIMetaFile->AddAction( new MetaTextArrayAction( rPosition + aCharDisplacement, OUString( rText[i] ), KernArraySpan(), {}, 0, 1 ) ); + if (AllowPoint(aCharDisplacement)) + { + Point().RotateAround(aCharDisplacement, maFont.GetOrientation()); + mpGDIMetaFile->AddAction( new MetaTextArrayAction( rPosition + aCharDisplacement, OUString( rText[i] ), KernArraySpan(), {}, 0, 1 ) ); + } } } else
