ofz#414 crash in DXFHatchEntity::EvaluateGroup

Change-Id: I15c8cb7aeb8c45f32357afd0ea2f550ffe11dbf7

3 files changed, 9 insertions, 1 deletions

diff --git a/filter/source/graphicfilter/idxf/dxfentrd.cxx b/filter/source/graphicfilter/idxf/dxfentrd.cxx
index 2c03206b081e..f9a5d97bba26 100644
--- a/filter/source/graphicfilter/idxf/dxfentrd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfentrd.cxx
@@ -659,8 +659,11 @@ void DXFHatchEntity::EvaluateGroup( DXFGroupReader & rDGR )
         {
             bIsInBoundaryPathContext = true;
             nBoundaryPathCount = rDGR.GetI();
-            if ( nBoundaryPathCount )
+            // limit alloc to max reasonable size based on remaining data in stream
+            if (nBoundaryPathCount > 0 && static_cast<sal_uInt32>(nBoundaryPathCount) <= rDGR.remainingSize())
                 pBoundaryPathData.reset( new DXFBoundaryPathData[ nBoundaryPathCount ] );
+            else
+                nBoundaryPathCount = 0;
         }
         break;
         case 75 :
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.cxx b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
index caa2c4263bf2..a6c02a408c7c 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
@@ -217,5 +217,9 @@ void DXFGroupReader::ReadS()
     S = DXFReadLine(rIS);
 }
 
+sal_uInt64 DXFGroupReader::remainingSize() const
+{
+    return rIS.remainingSize();
+}
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.hxx b/filter/source/graphicfilter/idxf/dxfgrprd.hxx
index c936b33b428b..09bbcd3676e4 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.hxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.hxx
@@ -59,6 +59,7 @@ public:
         // This read must have returned a group code for datatype String.
         // If not NULL is returend
 
+    sal_uInt64 remainingSize() const;
 private:
 
     long   ReadI();