diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2018-02-12 12:50:29 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2018-02-12 17:26:13 +0100 |
| commit | e5ace62c32191a2ae4183102c21e37575add39d8 (patch) | |
| tree | 2d4ebdcd93d29f06e3df8f032b31a605cfa77208 /emfio | |
| parent | 7517e53a96b956f369a6003690174fa156b7a0e5 (diff) | |
ofz: timeout
Change-Id: I7f6ea74c51012eb0fb64a3633241d67d10cae12b
Reviewed-on: https://gerrit.libreoffice.org/49595
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'emfio')
| -rw-r--r-- | emfio/source/reader/wmfreader.cxx | 50 |
1 files changed, 33 insertions, 17 deletions
diff --git a/emfio/source/reader/wmfreader.cxx b/emfio/source/reader/wmfreader.cxx index 983fe70a1a4e..eed575ef2bed 100644 --- a/emfio/source/reader/wmfreader.cxx +++ b/emfio/source/reader/wmfreader.cxx @@ -514,9 +514,6 @@ namespace emfio //record is Recordsize, RecordFunction, StringLength, <String>, YStart, XStart const sal_uInt32 nNonStringLen = sizeof(sal_uInt32) + 4 * sizeof(sal_uInt16); const sal_uInt32 nRecSize = mnRecSize * 2; - sal_uInt16 nLength = 0; - mpInputStream->ReadUInt16(nLength); - sal_uInt16 nStoredLength = (nLength + 1) &~ 1; if (nRecSize < nNonStringLen) { @@ -524,6 +521,10 @@ namespace emfio break; } + sal_uInt16 nLength = 0; + mpInputStream->ReadUInt16(nLength); + sal_uInt16 nStoredLength = (nLength + 1) &~ 1; + if (nRecSize - nNonStringLen < nStoredLength) { SAL_WARN("vcl.wmf", "W_META_TEXTOUT too short, truncating string"); @@ -543,15 +544,37 @@ namespace emfio case W_META_EXTTEXTOUT: { - mpInputStream->SeekRel(-6); - auto nRecordPos = mpInputStream->Tell(); - sal_Int32 nRecordSize = 0; - mpInputStream->ReadInt32( nRecordSize ); - mpInputStream->SeekRel(2); + //record is Recordsize, RecordFunction, Y, X, StringLength, options, maybe rectangle, <String> + sal_uInt32 nNonStringLen = sizeof(sal_uInt32) + 5 * sizeof(sal_uInt16); + const sal_uInt32 nRecSize = mnRecSize * 2; + + if (nRecSize < nNonStringLen) + { + SAL_WARN("vcl.wmf", "W_META_EXTTEXTOUT too short"); + break; + } + + auto nRecordPos = mpInputStream->Tell() - 6; Point aPosition = ReadYX(); sal_uInt16 nLen = 0, nOptions = 0; mpInputStream->ReadUInt16( nLen ).ReadUInt16( nOptions ); + tools::Rectangle aRect; + if (nOptions & ETO_CLIPPED) + { + nNonStringLen += 2 * sizeof(sal_uInt16); + + if (nRecSize < nNonStringLen) + { + SAL_WARN("vcl.wmf", "W_META_TEXTOUT too short"); + break; + } + + const Point aPt1( ReadPoint() ); + const Point aPt2( ReadPoint() ); + aRect = tools::Rectangle( aPt1, aPt2 ); + } + ComplexTextLayoutFlags nTextLayoutMode = ComplexTextLayoutFlags::Default; if ( nOptions & ETO_RTLREADING ) nTextLayoutMode = ComplexTextLayoutFlags::BiDiRtl | ComplexTextLayoutFlags::TextOriginLeft; @@ -559,19 +582,12 @@ namespace emfio SAL_WARN_IF( ( nOptions & ( ETO_PDY | ETO_GLYPH_INDEX ) ) != 0, "vcl.wmf", "SJ: ETO_PDY || ETO_GLYPH_INDEX in WMF" ); // output only makes sense if the text contains characters - if (nLen && nRecordSize >= 0) + if (nLen) { sal_Int32 nOriginalTextLen = nLen; sal_Int32 nOriginalBlockLen = ( nOriginalTextLen + 1 ) &~ 1; - tools::Rectangle aRect; - if( nOptions & ETO_CLIPPED ) - { - const Point aPt1( ReadPoint() ); - const Point aPt2( ReadPoint() ); - aRect = tools::Rectangle( aPt1, aPt2 ); - } - auto nMaxStreamPos = nRecordPos + (nRecordSize << 1); + auto nMaxStreamPos = nRecordPos + nRecSize; auto nRemainingSize = std::min(mpInputStream->remainingSize(), nMaxStreamPos - mpInputStream->Tell()); if (nRemainingSize < static_cast<sal_uInt32>(nOriginalBlockLen)) { |