Resolves: ofz#313 cbBmiSrc > getDIBV5HeaderSize

Change-Id: I67fb67dc0a4cb609b8f1391c1eb6dd395755a933 (cherry picked from commit 7485fc2a1484f31631f62f97e5c64c0ae74c6416) (cherry picked from commit 371f0f6770add78ae81e0f769d0490874bca353c) Reviewed-on: https://gerrit.libreoffice.org/32338 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <mstahl@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2016-12-22 13:35:31 +0000
committer: Michael Stahl <mstahl@redhat.com> 2017-01-04 20:11:54 +0000
commit: f84516a348ea8e05bbf89816505a6041e711ebfd (patch)
tree: 45a1d6c5e84bb6725df4e215d161029d9beb81a8
parent: f0241948bd5c68c50c380d9c38704da563a80ac4 (diff)
1 files changed, 13 insertions, 4 deletions
diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx
index ebb42cf977bb..9faca40238f2 100644
--- a/vcl/source/filter/wmf/enhwmf.cxx
+++ b/vcl/source/filter/wmf/enhwmf.cxx
@@ -1252,13 +1252,22 @@ bool EnhWMFReader::ReadEnhWMF()
                     else
                     {
                         const sal_uInt32 nSourceSize = cbBmiSrc + cbBitsSrc + 14;
-                        if ( nSourceSize <= ( nEndPos - nStartPos ) )
+                        bool bSafeRead = nSourceSize <= (nEndPos - nStartPos);
+                        sal_uInt32 nDeltaToDIB5HeaderSize(0);
+                        const bool bReadAlpha(0x01 == aFunc.aAlphaFormat);
+                        if (bSafeRead && bReadAlpha)
                         {
                             // we need to read alpha channel data if AlphaFormat of BLENDFUNCTION is
                             // AC_SRC_ALPHA (==0x01). To read it, create a temp DIB-File which is ready
                             // for DIB-5 format
-                            const bool bReadAlpha(0x01 == aFunc.aAlphaFormat);
-                            const sal_uInt32 nDeltaToDIB5HeaderSize(bReadAlpha ? getDIBV5HeaderSize() - cbBmiSrc : 0);
+                            const sal_uInt32 nHeaderSize = getDIBV5HeaderSize();
+                            if (cbBmiSrc > nHeaderSize)
+                                bSafeRead = false;
+                            else
+                                nDeltaToDIB5HeaderSize = nHeaderSize - cbBmiSrc;
+                        }
+                        if (bSafeRead)
+                        {
                             const sal_uInt32 nTargetSize(cbBmiSrc + nDeltaToDIB5HeaderSize + cbBitsSrc + 14);
                             char* pBuf = new char[ nTargetSize ];
                             SvMemoryStream aTmp( pBuf, nTargetSize, StreamMode::READ | StreamMode::WRITE );
@@ -1277,7 +1286,7 @@ bool EnhWMFReader::ReadEnhWMF()
                             pWMF->Seek( nStart + offBmiSrc );
                             pWMF->Read( pBuf + 14, cbBmiSrc );
 
-                            if(bReadAlpha)
+                            if (bReadAlpha)
                             {
                                 // need to add values for all stuff that DIBV5Header is bigger
                                 // than DIBInfoHeader, all values are correctly initialized to zero,
author	Caolán McNamara <caolanm@redhat.com>	2016-12-22 13:35:31 +0000
committer	Michael Stahl <mstahl@redhat.com>	2017-01-04 20:11:54 +0000
commit	f84516a348ea8e05bbf89816505a6041e711ebfd (patch)
tree	45a1d6c5e84bb6725df4e215d161029d9beb81a8
parent	f0241948bd5c68c50c380d9c38704da563a80ac4 (diff)