summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2017-02-28 21:08:00 +0000
committerCaolán McNamara <caolanm@redhat.com>2017-02-28 21:08:00 +0000
commit7f0b3e90ad8cc6c16e2004cc0739150352c8d7e6 (patch)
treefacbadd1a93f7000dce544f24eacff8440996eb5
parent162cd5d4fee7611e6b9e84cfbfddc81cbb869650 (diff)
ofz: timeout, check availablity of point data before reading it
Change-Id: I86b3041bc5123ba10bbb9b64702dfb2060b3cc23
Diffstat
-rw-r--r--filter/source/graphicfilter/ipict/ipict.cxx6
1 files changed, 6 insertions, 0 deletions
diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx
index 4003b0fd49c7..a85e691f7b64 100644
--- a/filter/source/graphicfilter/ipict/ipict.cxx
+++ b/filter/source/graphicfilter/ipict/ipict.cxx
@@ -461,6 +461,12 @@ sal_uLong PictReader::ReadPolygon(tools::Polygon & rPoly)
pPict->SeekRel(8);
sal_uLong nDataSize = (sal_uLong)nSize;
nSize=(nSize-10)/4;
+ const size_t nMaxPossiblePoints = pPict->remainingSize() / 2 * sizeof(sal_uInt16);
+ if (nSize > nMaxPossiblePoints)
+ {
+ SAL_WARN("filter.pict", "pict record claims to have: " << nSize << " points, but only " << nMaxPossiblePoints << " possible, clamping");
+ nSize = nMaxPossiblePoints;
+ }
rPoly.SetSize(nSize);
for (sal_uInt16 i = 0; i < nSize; ++i)
rPoly.SetPoint(ReadPoint(), i);
generated by cgit (git 2.34.1) at 2025-01-09 07:57:49 +0000