diff options
author | Caolán McNamara <caolanm@redhat.com> | 2015-08-27 20:20:01 +0100 |
---|---|---|
committer | Michael Meeks <michael.meeks@collabora.com> | 2015-08-28 11:29:16 +0000 |
commit | 4970009499a5dfb634b25dc144ee35bac0cf9d31 (patch) | |
tree | ec61b9b285a3a0fb40901c81c106b73c1770efbc /vcl/source | |
parent | 1bfbdeb07c0d4059f08bf1c295a465482e9ef3a5 (diff) |
don't loop on overly-short nEndPos
Change-Id: I60d3388ece28a69c31a85b9e3b495cbe8a03e7dc
(cherry picked from commit 42732d255423700461f4abadfed77d89efa9cdd0)
Reviewed-on: https://gerrit.libreoffice.org/18084
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Michael Meeks <michael.meeks@collabora.com>
Diffstat (limited to 'vcl/source')
-rw-r--r-- | vcl/source/filter/wmf/enhwmf.cxx | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx index 1b8dc0d45f6f..578fc0afb989 100644 --- a/vcl/source/filter/wmf/enhwmf.cxx +++ b/vcl/source/filter/wmf/enhwmf.cxx @@ -617,7 +617,7 @@ void EnhWMFReader::ReadAndDrawPolyPolygon() bool EnhWMFReader::ReadEnhWMF() { sal_uInt32 nStretchBltMode = 0; - sal_uInt32 nRecType(0), nRecSize(0), nNextPos(0), + sal_uInt32 nNextPos(0), nW(0), nH(0), nColor(0), nIndex(0), nDat32(0), nNom1(0), nDen1(0), nNom2(0), nDen2(0); sal_Int32 nX32(0), nY32(0), nx32(0), ny32(0); @@ -629,7 +629,8 @@ bool EnhWMFReader::ReadEnhWMF() while( bStatus && nRecordCount-- && pWMF->good()) { - pWMF->ReadUInt32( nRecType ).ReadUInt32( nRecSize ); + sal_uInt32 nRecType(0), nRecSize(0); + pWMF->ReadUInt32(nRecType).ReadUInt32(nRecSize); if ( !pWMF->good() || ( nRecSize < 8 ) || ( nRecSize & 3 ) ) // Parameters are always divisible by 4 { @@ -637,14 +638,22 @@ bool EnhWMFReader::ReadEnhWMF() break; } - const sal_uInt32 nMaxPossibleRecSize = nEndPos - pWMF->Tell() + 8; + auto nCurPos = pWMF->Tell(); + + if (nEndPos < nCurPos - 8) + { + bStatus = false; + break; + } + + const sal_uInt32 nMaxPossibleRecSize = nEndPos - (nCurPos - 8); if (nRecSize > nMaxPossibleRecSize) { bStatus = false; break; } - nNextPos = pWMF->Tell() + ( nRecSize - 8 ); + nNextPos = nCurPos + (nRecSize - 8); if( !aBmpSaveList.empty() && ( nRecType != EMR_STRETCHBLT ) @@ -1407,7 +1416,7 @@ bool EnhWMFReader::ReadEnhWMF() case EMR_EXTTEXTOUTW : { sal_Int32 nLeft, nTop, nRight, nBottom, ptlReferenceX, ptlReferenceY, nGfxMode, nXScale, nYScale; - sal_uInt32 nCurPos, nOffString, nOptions, offDx; + sal_uInt32 nOffString, nOptions, offDx; sal_Int32 nLen; std::vector<long> aDX; |