subject:"\[Libreoffice\-commits\] core.git\: Branch 'libreoffice\-7\-2' \- lotuswordpro\/source"

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-03-14 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

New commits:
commit eca150aeb9254a3c04d15be5a6278c2c65bf3fb0
Author: Caolán McNamara 
AuthorDate: Sun Mar 13 10:48:47 2022 +
Commit: Michael Stahl 
CommitDate: Mon Mar 14 12:28:35 2022 +0100

ofz#45524 string is presumed to be at least length 1

Change-Id: If8a86e399109b414cf53f6e2bffdd3c7c6faa490
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131468
Tested-by: Jenkins
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index f1abe2c438f3..a03b6deb8827 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1249,7 +1249,11 @@ void LwpDrawTextArt::Read()
 - 
(m_aTextArtRec.aPath[1].n*3 + 1)*4;
 
 
-if (!m_pStream->good() || m_aTextArtRec.nTextLen > 
m_pStream->remainingSize())
+if (!m_pStream->good())
+throw BadRead();
+if (m_aTextArtRec.nTextLen > m_pStream->remainingSize())
+throw BadRead();
+if (m_aTextArtRec.nTextLen < 1)
 throw BadRead();
 
 m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen];

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-02-03 Thread zhutyra (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

New commits:
commit 6694e3ea9c2f05a20245d94c5c1eda955cb3aacc
Author: zhutyra 
AuthorDate: Tue Feb 1 13:54:55 2022 +
Commit: Michael Stahl 
CommitDate: Thu Feb 3 12:01:14 2022 +0100

read of width/height uses wrong record size

this initially went wrong at:

commit b4fb7a437bb0ce987702b12008737756623618ac
Date:   Mon May 23 21:38:40 2011 +0100

fix up some more endian

LIBREOFFICE-SBQ5TJRS

Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129259
Tested-by: Jenkins
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 11bc3bcb5a98..f1abe2c438f3 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1388,8 +1388,12 @@ void LwpDrawBitmap::Read()
 
 if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
 {
-m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+sal_uInt16 nTmp;
+
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nWidth = nTmp;
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nHeight = nTmp;
 m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
 m_pStream->ReadUInt16( aInfoHeader2.nBitCount );

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-02-03 Thread zhutyra (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |   65 ++
 1 file changed, 15 insertions(+), 50 deletions(-)

New commits:
commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e
Author: zhutyra 
AuthorDate: Tue Feb 1 14:07:26 2022 +
Commit: Michael Stahl 
CommitDate: Thu Feb 3 11:59:31 2022 +0100

ensure bounds checking

LIBREOFFICE-SBQ5TJRS

Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261
Tested-by: Jenkins
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index ce3f5249786d..11bc3bcb5a98 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1369,21 +1369,20 @@ void LwpDrawBitmap::Read()
 m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
 m_pStream->ReadUInt16( m_aBmpRec.nRotation );
 
+// 20 == length of draw-specific fields.
 if (m_aObjHeader.nRecLen < 20)
 throw BadRead();
 
-// 20 == length of draw-specific fields.
-// 14 == length of bmp file header.
-m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+sal_uInt64 nBmpPos = m_pStream->Tell();
+sal_uInt64 nBmpLen =
+std::min(m_aObjHeader.nRecLen - 20, 
m_pStream->remainingSize());
 
 BmpInfoHeader2 aInfoHeader2;
 m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
 
-if (!m_pStream->good())
+if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
 throw BadRead();
 
-m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
 sal_uInt32 N;
 sal_uInt32 rgbTableSize;
 
@@ -1407,7 +1406,7 @@ void LwpDrawBitmap::Read()
 rgbTableSize = 3 * (1 << N);
 }
 }
-else
+else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
 {
 m_pStream->ReadUInt32( aInfoHeader2.nWidth );
 m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1426,9 +1425,15 @@ void LwpDrawBitmap::Read()
 {
 rgbTableSize = 4 * (1 << N);
 }
-
+}
+else
+{
+throw BadRead();
 }
 
+m_aBmpRec.nFileSize = static_cast(nBmpLen + 14);
+m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
 sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
 m_pImageData[0] = 'B';
 m_pImageData[1] = 'M';
@@ -1445,50 +1450,10 @@ void LwpDrawBitmap::Read()
 m_pImageData[12] = static_cast(nOffBits >> 16);
 m_pImageData[13] = static_cast(nOffBits >> 24);
 
-sal_uInt32 nDIBRemaining;
 sal_uInt8* pPicData = m_pImageData.get();
-if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >> 
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >> 
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >> 
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[21] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[22] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[23] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[25] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 26;
-pPicData += 26*sizeof(sal_uInt8);
-}
-else
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >> 
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >> 
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >> 
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nWidth >> 16);
-m_pImageData[21] = static_cast(aInfoHeader2.nWidth >> 24);
-m_pImageData[22] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[23] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nHeight >> 16);
-m_pImageData[25] = static_cast(aInfoHeader2.nHeight >> 24);
-m_pImageData[26] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[27] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[28] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[29] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 30;
-pPicData += 30*sizeof(sal_uInt8);
-}
 
-if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+m_pStream->Seek(nBmpPos);
+if (nBmpLen != m_pStream->ReadBytes(pPicData +

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-31 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |   13 ++---
 1 file changed, 10 insertions(+), 3 deletions(-)

New commits:
commit 7c8b41bc322720dc9434fbef1f10a6740913165e
Author: Caolán McNamara 
AuthorDate: Thu Jan 13 16:57:48 2022 +
Commit: Michael Stahl 
CommitDate: Mon Jan 31 14:30:37 2022 +0100

ofz#43577 valid reclen must be >= 20

Change-Id: I454bff4acfcd85701a7f094a8bd76898825e9ce2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128388
Tested-by: Jenkins
Reviewed-by: Caolán McNamara 
(cherry picked from commit 77a07bcaf59181dbbc719b913566091deadc)

ofz: Use-of-uninitialized-value

Change-Id: I6b768b80d972c5379005efecfb803463ca648b4b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128644
Tested-by: Jenkins
Reviewed-by: Caolán McNamara 
(cherry picked from commit 7b37a1a5144a3a4c8b0803b7e2da81e9e108bf66)

ofz: Undefined-Shift

Change-Id: Ib935359071ef9e390aa3d6c9713ed48241ad18e6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129066
Tested-by: Jenkins
Reviewed-by: Caolán McNamara 
(cherry picked from commit e863b90a0e5fc90c3b824e4b0012f9389b87a3ac)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129183
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 5de7ae30894d..ce3f5249786d 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1369,14 +1369,21 @@ void LwpDrawBitmap::Read()
 m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
 m_pStream->ReadUInt16( m_aBmpRec.nRotation );
 
+if (m_aObjHeader.nRecLen < 20)
+throw BadRead();
+
 // 20 == length of draw-specific fields.
 // 14 == length of bmp file header.
 m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
-m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
 
 BmpInfoHeader2 aInfoHeader2;
 m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
 
+if (!m_pStream->good())
+throw BadRead();
+
+m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
 sal_uInt32 N;
 sal_uInt32 rgbTableSize;
 
@@ -1391,7 +1398,7 @@ void LwpDrawBitmap::Read()
 throw BadRead();
 
 N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
-if (N == 24)
+if (N >= 16)
 {
 rgbTableSize = 0;
 }
@@ -1411,7 +1418,7 @@ void LwpDrawBitmap::Read()
 throw BadRead();
 
 N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
-if (N == 24)
+if (N >= 16)
 {
 rgbTableSize = 0;
 }

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-27 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |3 +++
 1 file changed, 3 insertions(+)

New commits:
commit af8709defeb90464c8724d3fe5fb8cbbf6efc2b8
Author: Caolán McNamara 
AuthorDate: Wed Jan 26 11:57:13 2022 +
Commit: Xisco Fauli 
CommitDate: Thu Jan 27 11:50:05 2022 +0100

ofz#44080 throw exception on a negative length

Change-Id: I3e2286cea69908fae3a2dd177d10fca2b7f0c877
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128956
Tested-by: Jenkins
Reviewed-by: Xisco Fauli 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index a697b6b0de48..5de7ae30894d 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1093,6 +1093,9 @@ XFFrame* LwpDrawTextBox::CreateDrawObj(const OUString& 
rStyleName )
 aEncoding = LwpCharSetMgr::GetTextCharEncoding();
 }
 
+if (TextLength < 2)
+throw BadRead();
+
 XFParagraph* pXFPara = new XFParagraph();
 pXFPara->Add(OUString(reinterpret_cast(m_aTextRec.pTextString), 
(TextLength-2), aEncoding));
 pXFPara->SetStyleName(rStyleName);

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-18 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

New commits:
commit bb03203848ef1c30786ad084440b5d317a466127
Author: Caolán McNamara 
AuthorDate: Mon Jan 17 10:48:12 2022 +
Commit: Michael Stahl 
CommitDate: Tue Jan 18 11:28:50 2022 +0100

ofz: Use-of-uninitialized-value

Change-Id: Ic5f41e4f1f6b20a8cd8887807296f33adb48b728
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128439
Tested-by: Jenkins
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index c684f7809d94..a697b6b0de48 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1478,7 +1478,8 @@ void LwpDrawBitmap::Read()
 pPicData += 30*sizeof(sal_uInt8);
 }
 
-m_pStream->ReadBytes(pPicData, nDIBRemaining);
+if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+throw BadRead();
 }
 
 OUString LwpDrawBitmap::RegisterStyle()

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-17 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |   20 
 1 file changed, 12 insertions(+), 8 deletions(-)

New commits:
commit 7607a7e45a1da570dda0a4b96c08405086a647b6
Author: Caolán McNamara 
AuthorDate: Sun Jan 16 14:30:15 2022 +
Commit: Michael Stahl 
CommitDate: Mon Jan 17 11:31:13 2022 +0100

ofz: Use-of-uninitialized-value

Change-Id: Ib1c3b306573dda073f6ff3d7d0cc17aef39c0a0e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128436
Tested-by: Jenkins
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 6d6be3748b49..c684f7809d94 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -497,7 +497,7 @@ void LwpDrawPolyLine::Read()
 m_pStream->ReadUChar( m_aPolyLineRec.aPenColor.unused );
 m_pStream->ReadUInt16( m_aPolyLineRec.nNumPoints );
 
-if (m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4)
+if (!m_pStream->good() || m_aPolyLineRec.nNumPoints > 
m_pStream->remainingSize() / 4)
 throw BadRead();
 
 m_pVector.reset( new SdwPoint[m_aPolyLineRec.nNumPoints] );
@@ -577,7 +577,7 @@ void LwpDrawPolygon::Read()
 ReadClosedObjStyle();
 m_pStream->ReadUInt16( m_nNumPoints );
 
-if (m_nNumPoints > m_pStream->remainingSize() / 4)
+if (!m_pStream->good() || m_nNumPoints > m_pStream->remainingSize() / 4)
 throw BadRead();
 
 m_pVector.reset( new SdwPoint[m_nNumPoints] );
@@ -1042,6 +1042,9 @@ void LwpDrawTextBox::Read()
 m_pStream->ReadInt16( m_aTextRec.nTextRotation );
 m_pStream->ReadInt16( m_aTextRec.nTextExtraSpacing );
 
+if (!m_pStream->good())
+throw BadRead();
+
 // some draw files in version 1.2 have an extra byte following '\0'.
 // can't rely on that, so read in the whole string into memory.
 
@@ -1187,17 +1190,17 @@ void LwpDrawTextArt::Read()
 m_pStream->ReadInt16( m_aTextArtRec.nRotation );
 
 sal_uInt16 nPointNumber;
-sal_Int16 nX, nY;
 m_pStream->ReadUInt16( nPointNumber );
 
 size_t nPoints = nPointNumber*3+1;
-if (nPoints > m_pStream->remainingSize() / 4)
+if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4)
 throw BadRead();
 
 m_aTextArtRec.aPath[0].n = nPointNumber;
 m_aTextArtRec.aPath[0].aPts.resize(nPoints);
 for (size_t nPt = 0; nPt < nPoints; ++nPt)
 {
+sal_Int16 nX, nY;
 m_pStream->ReadInt16( nX );
 m_pStream->ReadInt16( nY );
 m_aTextArtRec.aPath[0].aPts[nPt].x = nX;
@@ -1207,13 +1210,14 @@ void LwpDrawTextArt::Read()
 m_pStream->ReadUInt16( nPointNumber );
 
 nPoints = nPointNumber*3+1;
-if (nPoints > m_pStream->remainingSize() / 4)
+if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4)
 throw BadRead();
 
 m_aTextArtRec.aPath[1].n = nPointNumber;
 m_aTextArtRec.aPath[1].aPts.resize(nPoints);
 for (size_t nPt = 0; nPt < nPoints; ++nPt)
 {
+sal_Int16 nX, nY;
 m_pStream->ReadInt16( nX );
 m_pStream->ReadInt16( nY );
 m_aTextArtRec.aPath[1].aPts[nPt].x = nX;
@@ -1242,7 +1246,7 @@ void LwpDrawTextArt::Read()
 - 
(m_aTextArtRec.aPath[1].n*3 + 1)*4;
 
 
-if (m_aTextArtRec.nTextLen > m_pStream->remainingSize())
+if (!m_pStream->good() || m_aTextArtRec.nTextLen > 
m_pStream->remainingSize())
 throw BadRead();
 
 m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen];
@@ -1380,7 +1384,7 @@ void LwpDrawBitmap::Read()
 m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
 m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
 
-if (!IsValid(aInfoHeader2))
+if (!m_pStream->good() || !IsValid(aInfoHeader2))
 throw BadRead();
 
 N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
@@ -1400,7 +1404,7 @@ void LwpDrawBitmap::Read()
 m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
 m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
 
-if (!IsValid(aInfoHeader2))
+if (!m_pStream->good() || !IsValid(aInfoHeader2))
 throw BadRead();
 
 N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-13 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

New commits:
commit b015566e36593c84251f9fe65f259cbe18811074
Author: Caolán McNamara 
AuthorDate: Mon Jan 10 09:49:50 2022 +
Commit: Caolán McNamara 
CommitDate: Thu Jan 13 12:40:58 2022 +0100

ofz: Use-of-unintialized-value

Change-Id: I6c9a1a22240defbc8d9fa262ad087770445ffc4a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128210
Tested-by: Jenkins
Reviewed-by: Caolán McNamara 
(cherry picked from commit b4c56c0fd917623bbc0982eb53276e6ca64e7f42)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128335
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index abff0b656710..6d6be3748b49 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1049,9 +1049,9 @@ void LwpDrawTextBox::Read()
 sal_Int16 TextLength = m_aObjHeader.nRecLen - 71;
 if (TextLength < 0)
 throw BadRead();
-m_aTextRec.pTextString = new sal_uInt8 [TextLength];
-
-m_pStream->ReadBytes(m_aTextRec.pTextString, TextLength);
+m_aTextRec.pTextString = new sal_uInt8[TextLength];
+if (m_pStream->ReadBytes(m_aTextRec.pTextString, TextLength) != 
o3tl::make_unsigned(TextLength))
+throw BadRead();
 }
 
 OUString LwpDrawTextBox::RegisterStyle()

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-13 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |2 ++
 1 file changed, 2 insertions(+)

New commits:
commit fb34972b945b73ab86caf8dd3f4d7abb701f2299
Author: Caolán McNamara 
AuthorDate: Wed Jan 12 09:51:30 2022 +
Commit: Caolán McNamara 
CommitDate: Thu Jan 13 12:21:20 2022 +0100

ofz#43551 Use-of-uninitialized-value

Change-Id: I2eb139f3bff296cff7d8f0e9a05f19df56b27ecd
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128328
Reviewed-by: Michael Stahl 
Tested-by: Jenkins

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 7a1f369cb1d8..abff0b656710 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1023,6 +1023,7 @@ void LwpDrawTextBox::Read()
 
 m_pStream->ReadInt16( m_aTextRec.nTextHeight );
 m_pStream->ReadBytes(m_aTextRec.tmpTextFaceName, DRAW_FACESIZE);
+m_aTextRec.tmpTextFaceName[DRAW_FACESIZE - 1] = 0;
 m_pStream->SeekRel(1);// PitchAndFamily
 
 m_pStream->ReadInt16( m_aTextRec.nTextSize );
@@ -1222,6 +1223,7 @@ void LwpDrawTextArt::Read()
 m_pStream->SeekRel(1);
 
 m_pStream->ReadBytes(m_aTextArtRec.tmpTextFaceName, DRAW_FACESIZE);
+m_aTextArtRec.tmpTextFaceName[DRAW_FACESIZE - 1] = 0;
 m_pStream->SeekRel(1);// PitchAndFamily
 
 m_pStream->ReadInt16( m_aTextArtRec.nTextSize );

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-12 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |   23 +++
 1 file changed, 23 insertions(+)

New commits:
commit fb5fe960e4d50176c754ae2d10ce53c3c3da82a1
Author: Caolán McNamara 
AuthorDate: Sun Jan 9 16:07:32 2022 +
Commit: Michael Stahl 
CommitDate: Wed Jan 12 11:14:03 2022 +0100

ofz#43446 Undefined-shift

Change-Id: Ibe3485983ecf764ca8b8e667b470c6b210b6d2d4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128192
Tested-by: Jenkins
Reviewed-by: Caolán McNamara 
(cherry picked from commit 27e9de358b4afc6a89b09c173316cee0abfb471d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128234
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 6806f68a95dc..7a1f369cb1d8 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1336,6 +1336,22 @@ LwpDrawBitmap::~LwpDrawBitmap()
 {
 }
 
+static bool IsValid(const BmpInfoHeader2& rHeader)
+{
+if (rHeader.nPlanes != 1)
+return false;
+
+if (rHeader.nBitCount != 0 && rHeader.nBitCount != 1 &&
+rHeader.nBitCount != 4 && rHeader.nBitCount != 8 &&
+rHeader.nBitCount != 16 && rHeader.nBitCount != 24 &&
+rHeader.nBitCount != 32)
+{
+return false;
+}
+
+return true;
+}
+
 /**
  * @descr   reading function of class LwpDrawBitmap
  */
@@ -1362,6 +1378,9 @@ void LwpDrawBitmap::Read()
 m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
 m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
 
+if (!IsValid(aInfoHeader2))
+throw BadRead();
+
 N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
 if (N == 24)
 {
@@ -1378,6 +1397,10 @@ void LwpDrawBitmap::Read()
 m_pStream->ReadUInt32( aInfoHeader2.nHeight );
 m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
 m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
+
+if (!IsValid(aInfoHeader2))
+throw BadRead();
+
 N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
 if (N == 24)
 {

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-12 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx   |   40 +---
 lotuswordpro/source/filter/lwpsdwdrawheader.hxx |4 +-
 2 files changed, 18 insertions(+), 26 deletions(-)

New commits:
commit f5e2f6ea32359cb2ad793c5ed844a00456786dd0
Author: Caolán McNamara 
AuthorDate: Mon Jan 10 19:58:20 2022 +
Commit: Michael Stahl 
CommitDate: Wed Jan 12 11:08:13 2022 +0100

ofz#43509 use std::vector and at()

Change-Id: Id0c5e4ccc22b41caee95ca5f53f6ae7cf70490f6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128238
Tested-by: Jenkins
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 89eaf1c0a255..6806f68a95dc 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1128,16 +1128,8 @@ LwpDrawTextArt::LwpDrawTextArt(SvStream* pStream, 
DrawingOffsetAndScale* pTransD
 
 LwpDrawTextArt::~LwpDrawTextArt()
 {
-if (m_aTextArtRec.aPath[0].pPts)
-{
-delete [] m_aTextArtRec.aPath[0].pPts;
-m_aTextArtRec.aPath[0].pPts = nullptr;
-}
-if (m_aTextArtRec.aPath[1].pPts)
-{
-delete [] m_aTextArtRec.aPath[1].pPts;
-m_aTextArtRec.aPath[1].pPts = nullptr;
-}
+m_aTextArtRec.aPath[0].aPts.clear();
+m_aTextArtRec.aPath[1].aPts.clear();
 if (m_aTextArtRec.pTextString)
 {
 delete [] m_aTextArtRec.pTextString;
@@ -1149,8 +1141,8 @@ LwpDrawTextArt::~LwpDrawTextArt()
 void LwpDrawTextArt::CreateFWPath(XFDrawPath* pPath)
 {
 sal_Int16 nX, nY;
-nX = (m_aTextArtRec.aPath[0].pPts[0].x + m_aTextArtRec.aPath[1].pPts[0].x) 
/ 2;
-nY = (m_aTextArtRec.aPath[0].pPts[0].y + m_aTextArtRec.aPath[1].pPts[0].y) 
/ 2;
+nX = (m_aTextArtRec.aPath[0].aPts[0].x + m_aTextArtRec.aPath[1].aPts[0].x) 
/ 2;
+nY = (m_aTextArtRec.aPath[0].aPts[0].y + m_aTextArtRec.aPath[1].aPts[0].y) 
/ 2;
 XFPoint aStart(static_cast(nX)/TWIPS_PER_CM * 
m_pTransData->fScaleX,
 static_cast(nY)/TWIPS_PER_CM * m_pTransData->fScaleY);
 pPath->MoveTo(aStart);
@@ -1158,20 +1150,20 @@ void LwpDrawTextArt::CreateFWPath(XFDrawPath* pPath)
 sal_uInt8 nPtIndex = 1;
 for (sal_uInt16 nC = 1; nC <= m_aTextArtRec.aPath[0].n; nC++)
 {
-nX = (m_aTextArtRec.aPath[0].pPts[nPtIndex].x + 
m_aTextArtRec.aPath[1].pPts[nPtIndex].x) / 2;
-nY = (m_aTextArtRec.aPath[0].pPts[nPtIndex].y + 
m_aTextArtRec.aPath[1].pPts[nPtIndex].y) / 2;
+nX = (m_aTextArtRec.aPath[0].aPts.at(nPtIndex).x + 
m_aTextArtRec.aPath[1].aPts.at(nPtIndex).x) / 2;
+nY = (m_aTextArtRec.aPath[0].aPts.at(nPtIndex).y + 
m_aTextArtRec.aPath[1].aPts.at(nPtIndex).y) / 2;
 XFPoint aCtrl1(static_cast(nX)/TWIPS_PER_CM * 
m_pTransData->fScaleX,
 static_cast(nY)/TWIPS_PER_CM * m_pTransData->fScaleY);
 
 nPtIndex++;
-nX = (m_aTextArtRec.aPath[0].pPts[nPtIndex].x + 
m_aTextArtRec.aPath[1].pPts[nPtIndex].x) / 2;
-nY = (m_aTextArtRec.aPath[0].pPts[nPtIndex].y + 
m_aTextArtRec.aPath[1].pPts[nPtIndex].y) / 2;
+nX = (m_aTextArtRec.aPath[0].aPts.at(nPtIndex).x + 
m_aTextArtRec.aPath[1].aPts.at(nPtIndex).x) / 2;
+nY = (m_aTextArtRec.aPath[0].aPts.at(nPtIndex).y + 
m_aTextArtRec.aPath[1].aPts.at(nPtIndex).y) / 2;
 XFPoint aCtrl2(static_cast(nX)/TWIPS_PER_CM * 
m_pTransData->fScaleX,
 static_cast(nY)/TWIPS_PER_CM * m_pTransData->fScaleY);
 
 nPtIndex++;
-nX = (m_aTextArtRec.aPath[0].pPts[nPtIndex].x + 
m_aTextArtRec.aPath[1].pPts[nPtIndex].x) / 2;
-nY = (m_aTextArtRec.aPath[0].pPts[nPtIndex].y + 
m_aTextArtRec.aPath[1].pPts[nPtIndex].y) / 2;
+nX = (m_aTextArtRec.aPath[0].aPts.at(nPtIndex).x + 
m_aTextArtRec.aPath[1].aPts.at(nPtIndex).x) / 2;
+nY = (m_aTextArtRec.aPath[0].aPts.at(nPtIndex).y + 
m_aTextArtRec.aPath[1].aPts.at(nPtIndex).y) / 2;
 XFPoint aDest(static_cast(nX)/TWIPS_PER_CM * 
m_pTransData->fScaleX,
 static_cast(nY)/TWIPS_PER_CM * m_pTransData->fScaleY);
 
@@ -1202,13 +1194,13 @@ void LwpDrawTextArt::Read()
 throw BadRead();
 
 m_aTextArtRec.aPath[0].n = nPointNumber;
-m_aTextArtRec.aPath[0].pPts = new SdwPoint[nPoints];
+m_aTextArtRec.aPath[0].aPts.resize(nPoints);
 for (size_t nPt = 0; nPt < nPoints; ++nPt)
 {
 m_pStream->ReadInt16( nX );
 m_pStream->ReadInt16( nY );
-m_aTextArtRec.aPath[0].pPts[nPt].x = nX;
-m_aTextArtRec.aPath[0].pPts[nPt].y = nY;
+m_aTextArtRec.aPath[0].aPts[nPt].x = nX;
+m_aTextArtRec.aPath[0].aPts[nPt].y = nY;
 }
 
 m_pStream->ReadUInt16( nPointNumber );
@@ -1218,13 +1210,13 @@ void LwpDrawTextArt::Read()
 throw BadRead();
 
 m_aTextArtRec.aPath[1].n = nPointNumber;
-m_aTextArtRec.aPath[1].pPts = new SdwPoint[nPoints];
+m_aTextArtRec.aPath[1].aPts.resize(nPoints);
 for (size_t nPt = 0; nPt < nPoints; ++nPt)
 {

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-11 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpdrawobj.cxx |2 ++
 1 file changed, 2 insertions(+)

New commits:
commit 35be5565c8e054a343954ee545df65c29384ff27
Author: Caolán McNamara 
AuthorDate: Sun Jan 9 16:16:39 2022 +
Commit: Xisco Fauli 
CommitDate: Tue Jan 11 11:15:42 2022 +0100

ofz#43458 avoid OOM

Change-Id: Id0e1e985c446c147a219ba2f5157a41deae656a4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128193
Tested-by: Jenkins
Reviewed-by: Caolán McNamara 
(cherry picked from commit e28f4b6bccafb2b9f3c44dfabf36d1b822d85f84)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128236
Reviewed-by: Xisco Fauli 

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx 
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 547017a68555..89eaf1c0a255 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1046,6 +1046,8 @@ void LwpDrawTextBox::Read()
 
 // the 71 is the fixed length before text content in textbox record
 sal_Int16 TextLength = m_aObjHeader.nRecLen - 71;
+if (TextLength < 0)
+throw BadRead();
 m_aTextRec.pTextString = new sal_uInt8 [TextLength];
 
 m_pStream->ReadBytes(m_aTextRec.pTextString, TextLength);

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-09 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpsdwdrawheader.hxx |   12 
 1 file changed, 12 insertions(+)

New commits:
commit e854cdf8c419e91265341881bdc8c94ea0a38dd8
Author: Caolán McNamara 
AuthorDate: Sat Jan 8 14:44:11 2022 +
Commit: Adolfo Jayme Barrientos 
CommitDate: Mon Jan 10 02:09:07 2022 +0100

ofz#43818 delete of uninitialized pointer

Change-Id: I91509915c18c3e9b54cb3047462b9dd9a8c7a46b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128147
Tested-by: Jenkins
Reviewed-by: Adolfo Jayme Barrientos 

diff --git a/lotuswordpro/source/filter/lwpsdwdrawheader.hxx 
b/lotuswordpro/source/filter/lwpsdwdrawheader.hxx
index 3153b837aaba..13696f453a74 100644
--- a/lotuswordpro/source/filter/lwpsdwdrawheader.hxx
+++ b/lotuswordpro/source/filter/lwpsdwdrawheader.hxx
@@ -271,6 +271,18 @@ struct SdwTextBoxRecord
 sal_Int16 nTextRotation;
 sal_Int16 nTextExtraSpacing;
 sal_uInt8* pTextString;
+SdwTextBoxRecord()
+: nTextWidth(0)
+, nTextHeight(0)
+, nTextSize(0)
+, tmpTextFaceName{}
+, nTextAttrs(0)
+, nTextCharacterSet(0)
+, nTextRotation(0)
+, nTextExtraSpacing(0)
+, pTextString(nullptr)
+{
+}
 };
 
 struct SdwFMPATH

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

2022-01-07 Thread Caolán McNamara (via logerrit)

 lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx |7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

New commits:
commit 584c5381cc8e1aa8203898512d726ef091828cec
Author: Caolán McNamara 
AuthorDate: Fri Jan 7 09:24:27 2022 +
Commit: Michael Stahl 
CommitDate: Fri Jan 7 13:41:54 2022 +0100

ofz#43376 Null-dereference

Change-Id: I57f67465e4f8ca6fc6bd47d7b095e9b470d9d2c3
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128073
Tested-by: Jenkins
Reviewed-by: Michael Stahl 

diff --git a/lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx 
b/lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx
index 3b8e8accad33..1b73b97a1f4f 100644
--- a/lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx
+++ b/lotuswordpro/source/filter/lwpsdwgrouploaderv0102.cxx
@@ -373,8 +373,11 @@ XFFrame* LwpSdwGroupLoaderV0102::CreateDrawObject()
 
 pRetObjct = CreateDrawGroupObject();
 
-// set anchor type
-pRetObjct->SetAnchorType(enumXFAnchorFrame);
+if (pRetObjct)
+{
+// set anchor type
+pRetObjct->SetAnchorType(enumXFAnchorFrame);
+}
 break;
 }
 case OT_CHART://fall-through

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source

14 matches

Site Navigation

Mail list logo

Footer information