CWS-TOOLING: integrate CWS os145

author: Kurt Zenker <kz@openoffice.org> 2010-11-23 16:56:24 +0100
committer: Kurt Zenker <kz@openoffice.org> 2010-11-23 16:56:24 +0100
commit: 2ca22cab454eb1438a58f6015301db453f1cbe84 (patch)
tree: ce4a20a0cb4d007018582474f3e4465922922f1e
parent: 7d825706b747be940a622d72d8fcf92916034bb1 (diff)
parent: b9113ba2a8a4fca7d21b1268a250f4cdc70ba64d (diff)
2 files changed, 44 insertions, 18 deletions
diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index 8c1545758c3b..79d875542509 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -1441,19 +1441,35 @@ void MetaTextArrayAction::Read( SvStream& rIStm, ImplMetaReadData* pData )
     rIStm   >> mnLen;
     rIStm   >> nAryLen;
 
+    if ( mnIndex > mnLen )
+    {
+        mnIndex = 0;
+        mpDXAry = 0;
+        return;
+    }
+
     if( nAryLen )
     {
         // #i9762#, #106172# Ensure that DX array is at least mnLen entries long
-        const ULONG nIntAryLen( Max(nAryLen, static_cast<sal_uInt32>(mnLen)) );
-        mpDXAry = new sal_Int32[ nIntAryLen ];
-
-        ULONG i;
-        for( i = 0UL; i < nAryLen; i++ )
-            rIStm >> mpDXAry[ i ];
+        if ( mnLen >= nAryLen )
+        {
+            mpDXAry = new (std::nothrow)sal_Int32[ mnLen ];
+            if ( mpDXAry )
+            {
+                   ULONG i;
+                for( i = 0UL; i < nAryLen; i++ )
+                    rIStm >> mpDXAry[ i ];
 
-        // #106172# setup remainder
-        for( ; i < nIntAryLen; i++ )
-            mpDXAry[ i ] = 0;
+                // #106172# setup remainder
+                for( ; i < mnLen; i++ )
+                    mpDXAry[ i ] = 0;
+            }
+        }
+        else
+        {
+            mpDXAry = NULL;
+            return;
+        }
     }
     else
         mpDXAry = NULL;
diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index 11971db34378..df67c4974d47 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -411,7 +411,9 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint )
 
             case PNGCHUNK_IDAT :
             {
-                if ( !mbIDAT )      // the gfx is finished, but there may be left a zlibCRC of about 4Bytes
+                if ( !mpInflateInBuf )  // taking care that the header has properly been read
+                    mbStatus = FALSE;
+                else if ( !mbIDAT )     // the gfx is finished, but there may be left a zlibCRC of about 4Bytes
                     ImplReadIDAT();
             }
             break;
@@ -527,7 +529,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
     mbIDAT = mbAlphaChannel = mbTransparent = FALSE;
     mbGrayScale = mbRGBTriple = FALSE;
     mnTargetDepth = mnPngDepth;
-    mnScansize = ( ( maOrigSize.Width() * mnPngDepth ) + 7 ) >> 3;
+    sal_uInt64 nScansize64 = ( ( static_cast< sal_uInt64 >( maOrigSize.Width() ) * mnPngDepth ) + 7 ) >> 3;
 
     // valid color types are 0,2,3,4 & 6
     switch ( mnColorType )
@@ -557,7 +559,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
         case 2 :    // each pixel is an RGB triple
         {
             mbRGBTriple = TRUE;
-            mnScansize *= 3;
+            nScansize64 *= 3;
             switch ( mnPngDepth )
             {
                 case 16 :           // we have to reduce the bitmap
@@ -590,7 +592,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
 
         case 4 :    // each pixel is a grayscale sample followed by an alpha sample
         {
-            mnScansize *= 2;
+            nScansize64 *= 2;
             mbAlphaChannel = TRUE;
             switch ( mnPngDepth )
             {
@@ -608,7 +610,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
         case 6 :    // each pixel is an RGB triple followed by an alpha sample
         {
             mbRGBTriple = TRUE;
-            mnScansize *= 4;
+            nScansize64 *= 4;
             mbAlphaChannel = TRUE;
             switch (mnPngDepth )
             {
@@ -626,16 +628,24 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
             return FALSE;
     }
 
-    mnBPP = mnScansize / maOrigSize.Width();
+    mnBPP = static_cast< sal_uInt32 >( nScansize64 / maOrigSize.Width() );
     if ( !mnBPP )
         mnBPP = 1;
 
-    mnScansize++;       // each scanline includes one filterbyte
+    nScansize64++;       // each scanline includes one filterbyte
+
+    if ( nScansize64 > SAL_MAX_UINT32 )
+        return FALSE;
+
+    mnScansize = static_cast< sal_uInt32 >( nScansize64 );
 
     // TODO: switch between both scanlines instead of copying
-    mpInflateInBuf = new BYTE[ mnScansize ];
+    mpInflateInBuf = new (std::nothrow) BYTE[ mnScansize ];
     mpScanCurrent = mpInflateInBuf;
-    mpScanPrior = new BYTE[ mnScansize ];
+    mpScanPrior = new (std::nothrow) BYTE[ mnScansize ];
+
+    if ( !mpInflateInBuf || !mpScanPrior )
+        return FALSE;
 
     // calculate target size from original size and the preview hint
     if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() )
author	Kurt Zenker <kz@openoffice.org>	2010-11-23 16:56:24 +0100
committer	Kurt Zenker <kz@openoffice.org>	2010-11-23 16:56:24 +0100
commit	2ca22cab454eb1438a58f6015301db453f1cbe84 (patch)
tree	ce4a20a0cb4d007018582474f3e4465922922f1e
parent	7d825706b747be940a622d72d8fcf92916034bb1 (diff)
parent	b9113ba2a8a4fca7d21b1268a250f4cdc70ba64d (diff)