diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-02-28 21:08:00 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-02-28 21:08:00 +0000 |
| commit | 7f0b3e90ad8cc6c16e2004cc0739150352c8d7e6 (patch) | |
| tree | facbadd1a93f7000dce544f24eacff8440996eb5 | |
| parent | 162cd5d4fee7611e6b9e84cfbfddc81cbb869650 (diff) | |
ofz: timeout, check availablity of point data before reading it
Change-Id: I86b3041bc5123ba10bbb9b64702dfb2060b3cc23
| -rw-r--r-- | filter/source/graphicfilter/ipict/ipict.cxx | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx index 4003b0fd49c7..a85e691f7b64 100644 --- a/filter/source/graphicfilter/ipict/ipict.cxx +++ b/filter/source/graphicfilter/ipict/ipict.cxx @@ -461,6 +461,12 @@ sal_uLong PictReader::ReadPolygon(tools::Polygon & rPoly) pPict->SeekRel(8); sal_uLong nDataSize = (sal_uLong)nSize; nSize=(nSize-10)/4; + const size_t nMaxPossiblePoints = pPict->remainingSize() / 2 * sizeof(sal_uInt16); + if (nSize > nMaxPossiblePoints) + { + SAL_WARN("filter.pict", "pict record claims to have: " << nSize << " points, but only " << nMaxPossiblePoints << " possible, clamping"); + nSize = nMaxPossiblePoints; + } rPoly.SetSize(nSize); for (sal_uInt16 i = 0; i < nSize; ++i) rPoly.SetPoint(ReadPoint(), i); |