ofz: timeout

Change-Id: I3eff48549761aa8fa2569cd23c122f98fb2ea491 Reviewed-on: https://gerrit.libreoffice.org/49419 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2018-02-08 11:13:47 +0000
committer: Caolán McNamara <caolanm@redhat.com> 2018-02-08 15:58:44 +0100
commit: 37e5c9efb19224974a3861eae18e16d6432c6bde (patch)
tree: 44ddb8179d5385adcb10404a24a2fe0539a31d47
parent: a26adf6679aa13dc5821047f6aa1f05e7d0d00fd (diff)
1 files changed, 22 insertions, 6 deletions
diff --git a/emfio/source/reader/wmfreader.cxx b/emfio/source/reader/wmfreader.cxx
index e0822757eefe..983fe70a1a4e 100644
--- a/emfio/source/reader/wmfreader.cxx
+++ b/emfio/source/reader/wmfreader.cxx
@@ -511,14 +511,30 @@ namespace emfio
 
             case W_META_TEXTOUT:
             {
+                //record is Recordsize, RecordFunction, StringLength, <String>, YStart, XStart
+                const sal_uInt32 nNonStringLen = sizeof(sal_uInt32) + 4 * sizeof(sal_uInt16);
+                const sal_uInt32 nRecSize = mnRecSize * 2;
                 sal_uInt16 nLength = 0;
-                mpInputStream->ReadUInt16( nLength );
-                if ( nLength )
+                mpInputStream->ReadUInt16(nLength);
+                sal_uInt16 nStoredLength = (nLength + 1) &~ 1;
+
+                if (nRecSize < nNonStringLen)
+                {
+                    SAL_WARN("vcl.wmf", "W_META_TEXTOUT too short");
+                    break;
+                }
+
+                if (nRecSize - nNonStringLen < nStoredLength)
+                {
+                    SAL_WARN("vcl.wmf", "W_META_TEXTOUT too short, truncating string");
+                    nLength = nStoredLength = nRecSize - nNonStringLen;
+                }
+
+                if (nLength)
                 {
-                    std::unique_ptr<char[]> pChar(new char[ ( nLength + 1 ) &~ 1 ]);
-                    nLength = std::min<sal_uInt64>(nLength, mpInputStream->ReadBytes(pChar.get(), (nLength + 1) &~ 1));
-                    OUString aText( pChar.get(), nLength, GetCharSet() );
-                    pChar.reset();
+                    std::vector<char> aChars(nStoredLength);
+                    nLength = std::min<sal_uInt16>(nLength, mpInputStream->ReadBytes(aChars.data(), aChars.size()));
+                    OUString aText(aChars.data(), nLength, GetCharSet());
                     Point aPosition( ReadYX() );
                     DrawText( aPosition, aText );
                 }
author	Caolán McNamara <caolanm@redhat.com>	2018-02-08 11:13:47 +0000
committer	Caolán McNamara <caolanm@redhat.com>	2018-02-08 15:58:44 +0100
commit	37e5c9efb19224974a3861eae18e16d6432c6bde (patch)
tree	44ddb8179d5385adcb10404a24a2fe0539a31d47
parent	a26adf6679aa13dc5821047f6aa1f05e7d0d00fd (diff)