diff options
| author | Michael Stahl <mstahl@redhat.com> | 2013-02-25 13:15:19 +0100 |
|---|---|---|
| committer | Radek Doulík <rodo@novell.com> | 2013-02-26 10:12:37 +0000 |
| commit | 83707a8b8a47efd074b7f03df0da779870efa687 (patch) | |
| tree | 3a4964fc2eacbdf146b0849bbb88a7f618fabd01 | |
| parent | 282af14d3c021ad6927bc909161c0ff7b31fa1c9 (diff) | |
fdo#59405: cppcanvas: fix infinite loop in processEMFPlus
This can be observed when inserting the bugdoc from fdo#59405.
Apparently the "size" and "length" do not agree; ensure that the
"length" does not underflow.
Change-Id: Idfc68919859b8284c724831de21208e4392af328
(cherry picked from commit ec0d1440cf07008a220708535848567bcbb233ea)
Reviewed-on: https://gerrit.libreoffice.org/2394
Reviewed-by: Radek Doulík <rodo@novell.com>
Tested-by: Radek Doulík <rodo@novell.com>
(cherry picked from commit 6cf68eab5eb77b7e081ef5f8d59d196411e86567)
Reviewed-on: https://gerrit.libreoffice.org/2398
Reviewed-by: Fridrich Strba <fridrich@documentfoundation.org>
Reviewed-by: Michael Meeks <michael.meeks@suse.com>
| -rw-r--r-- | cppcanvas/source/mtfrenderer/emfplus.cxx | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/cppcanvas/source/mtfrenderer/emfplus.cxx b/cppcanvas/source/mtfrenderer/emfplus.cxx index f1b0eff12282..0c9db41dd843 100644 --- a/cppcanvas/source/mtfrenderer/emfplus.cxx +++ b/cppcanvas/source/mtfrenderer/emfplus.cxx @@ -1763,7 +1763,16 @@ namespace cppcanvas rMF.Seek (next); - length -= size; + if (size <= length) + { + length -= size; + } + else + { + SAL_WARN("cppcanvas", "ImplRenderer::processEMFPlus: " + "size " << size << " > length " << length); + length = 0; + } } } } |