fix potential hang here

Change-Id: Id62cdb90420b9ccf4e98fc1af46c70db6ed60ee0 (cherry picked from commit 7eef63bb2a4d14cb35201f84f38855910f468e20) Reviewed-on: https://gerrit.libreoffice.org/16922 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: David Tardon <dtardon@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-07-10 11:34:03 +0100
committer: David Tardon <dtardon@redhat.com> 2015-07-13 13:07:10 +0000
commit: e0d7f9a7ca24f06b393f37a34c099cd10b9d2da0 (patch)
tree: 77de6cde3f8c3ec5a2357219459879fb601f33e5 /vcl/source
parent: b78b90732b3089c865773efab362038bd913dac5 (diff)
1 files changed, 13 insertions, 8 deletions
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index 5e25949d7ff3..7c153c70fe9b 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -1735,14 +1735,19 @@ bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pStm )
                 }
                 break;
             }
-            nPos += nRSize * 2;
-             if ( nPos <= nEnd )
-                 pStm->Seek( nPos );
-             else
-             {
-                 pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
-                 bRet = false;
-             }
+
+            const sal_uInt32 nAvailableBytes = nEnd - nPos;
+            const sal_uInt32 nMaxPossibleRecordSize = nAvailableBytes/2;
+            if (nRSize <= nMaxPossibleRecordSize)
+            {
+                nPos += nRSize * 2;
+                pStm->Seek( nPos );
+            }
+            else
+            {
+                pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                bRet = false;
+            }
         }
     }
     else
author	Caolán McNamara <caolanm@redhat.com>	2015-07-10 11:34:03 +0100
committer	David Tardon <dtardon@redhat.com>	2015-07-13 13:07:10 +0000
commit	e0d7f9a7ca24f06b393f37a34c099cd10b9d2da0 (patch)
tree	77de6cde3f8c3ec5a2357219459879fb601f33e5 /vcl/source
parent	b78b90732b3089c865773efab362038bd913dac5 (diff)