diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-07-10 08:40:42 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2015-07-10 08:58:21 +0100 |
| commit | fd2749455fe25e24b448a44f9ada6113e5ac0d13 (patch) | |
| tree | 5917e4474f7efa17398a8744e8dbb4d77bd94a9a | |
| parent | 5b2f8231945fedc46425e00f1234dcac90628c1d (diff) | |
avoid endless loop with busted wmf
Change-Id: I104de360f2e861e959ad2dad434a768440877f6f
| -rw-r--r-- | vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf | bin | 0 -> 675 bytes | |||
| -rw-r--r-- | vcl/source/filter/wmf/winwmf.cxx | 10 |
2 files changed, 7 insertions, 3 deletions
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf Binary files differnew file mode 100644 index 000000000000..7ba05cb00219 --- /dev/null +++ b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx index 343b74f54a15..7b87f68a0013 100644 --- a/vcl/source/filter/wmf/winwmf.cxx +++ b/vcl/source/filter/wmf/winwmf.cxx @@ -1394,9 +1394,13 @@ void WMFReader::ReadWMF() } } } - nPos += nRecSize * 2; - if ( nPos <= nEndPos ) - pWMF->Seek( nPos ); + const sal_uInt32 nAvailableBytes = nEndPos - nPos; + const sal_uInt32 nMaxPossibleRecordSize = nAvailableBytes/2; + if (nRecSize <= nMaxPossibleRecordSize) + { + nPos += nRecSize * 2; + pWMF->Seek(nPos); + } else pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR ); } |