ofz: check bounds on read

Change-Id: I07779bec876b90e36f20a81d6dbf06ae727edf85
author: Caolán McNamara <caolanm@redhat.com> 2017-04-02 11:31:10 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2017-04-02 11:33:28 +0100
commit: fb05611064e12c8eda09bc32c42544cde8c2ab49 (patch)
tree: fa96bda46005107c08563c0728be418fe40482d5 /filter
parent: 647ff1add92a4d6473515462d4e5939b99b76d27 (diff)
1 files changed, 16 insertions, 9 deletions
diff --git a/filter/source/graphicfilter/icgm/class4.cxx b/filter/source/graphicfilter/icgm/class4.cxx
index c74333123c6b..d8397a26395c 100644
--- a/filter/source/graphicfilter/icgm/class4.cxx
+++ b/filter/source/graphicfilter/icgm/class4.cxx
@@ -178,15 +178,18 @@ void CGM::ImplDoClass4()
             case 0x04 : /*Text*/
             {
                 FloatPoint  aFloatPoint;
-                sal_uInt32      nType, nSize;
 
                 if ( mbFigure )
                     mpOutAct->CloseRegion();
 
                 ImplGetPoint ( aFloatPoint, true );
-                nType = ImplGetUI16( 4 );
-                nSize = ImplGetUI( 1 );
-                mpSource[ mnParaSize + nSize ] = 0;
+                sal_uInt32 nType = ImplGetUI16( 4 );
+                sal_uInt32 nSize = ImplGetUI( 1 );
+
+                if (mpSource + mnParaSize + nSize > mpEndValidSource)
+                    throw css::uno::Exception("attempt to read past end of input", nullptr);
+
+                mpSource[mnParaSize + nSize] = 0;
 
                 awt::Size aSize;
                 awt::Point aPoint( (long)aFloatPoint.X, (long)aFloatPoint.Y );
@@ -200,7 +203,6 @@ void CGM::ImplDoClass4()
             {
                 double      dx, dy;
                 FloatPoint  aFloatPoint;
-                sal_uInt32      nType, nSize;
 
                 if ( mbFigure )
                     mpOutAct->CloseRegion();
@@ -219,8 +221,11 @@ void CGM::ImplDoClass4()
                 ImplMapDouble( dy );
 
                 ImplGetPoint ( aFloatPoint, true );
-                nType = ImplGetUI16( 4 );
-                nSize = ImplGetUI( 1 );
+                sal_uInt32 nType = ImplGetUI16(4);
+                sal_uInt32 nSize = ImplGetUI(1);
+
+                if (mpSource + mnParaSize + nSize > mpEndValidSource)
+                    throw css::uno::Exception("attempt to read past end of input", nullptr);
 
                 mpSource[ mnParaSize + nSize ] = 0;
 
@@ -234,10 +239,12 @@ void CGM::ImplDoClass4()
 
             case 0x06 : /*Append Text*/
             {
-                sal_uInt32 nSize;
                 sal_uInt32 nType = ImplGetUI16( 4 );
+                sal_uInt32 nSize = ImplGetUI( 1 );
+
+                if (mpSource + mnParaSize + nSize > mpEndValidSource)
+                    throw css::uno::Exception("attempt to read past end of input", nullptr);
 
-                nSize = ImplGetUI( 1 );
                 mpSource[ mnParaSize + nSize ] = 0;
 
                 mpOutAct->AppendText( reinterpret_cast<char*>(mpSource) + mnParaSize, nSize, (FinalFlag)nType );
author	Caolán McNamara <caolanm@redhat.com>	2017-04-02 11:31:10 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2017-04-02 11:33:28 +0100
commit	fb05611064e12c8eda09bc32c42544cde8c2ab49 (patch)
tree	fa96bda46005107c08563c0728be418fe40482d5 /filter
parent	647ff1add92a4d6473515462d4e5939b99b76d27 (diff)