diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-04-02 11:52:06 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-04-02 11:52:06 +0100 |
| commit | e9bd695a063e111cdc002b73a6a5cccbc52ef4d3 (patch) | |
| tree | 1cb614be9592da95e33ff83711cf09a2de36e33e /vcl | |
| parent | 4f2825f590f4d4921d9336961fd727e76b525b92 (diff) | |
ofz: avoid oom
Change-Id: Ibffae78a1186492300c237e85089702491cf4a0f
Diffstat (limited to 'vcl')
| -rw-r--r-- | vcl/source/filter/wmf/winwmf.cxx | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx index 94783f8879d4..0ce2ff3eccac 100644 --- a/vcl/source/filter/wmf/winwmf.cxx +++ b/vcl/source/filter/wmf/winwmf.cxx @@ -1131,18 +1131,25 @@ void WMFReader::ReadRecordParams( sal_uInt16 nFunc ) } nEMFRec++; - if( pEMFStream && nCurRecSize + 34 > nLen ) + if (pEMFStream && nCurRecSize + 34 > nLen) { nEMFRecCount = 0xFFFFFFFF; pEMFStream.reset(); } - if( pEMFStream ) + if (pEMFStream && nCurRecSize > pWMF->remainingSize()) { - std::unique_ptr<sal_Int8[]> pBuf(new sal_Int8[ nCurRecSize ]); - sal_uInt32 nCount = pWMF->ReadBytes(pBuf.get(), nCurRecSize); + SAL_WARN("vcl.wmf", "emf record size claims to be larger than remaining data"); + nEMFRecCount = 0xFFFFFFFF; + pEMFStream.reset(); + } + + if (pEMFStream) + { + std::vector<sal_Int8> aBuf(nCurRecSize); + sal_uInt32 nCount = pWMF->ReadBytes(aBuf.data(), nCurRecSize); if( nCount == nCurRecSize ) - pEMFStream->WriteBytes(pBuf.get(), nCount); + pEMFStream->WriteBytes(aBuf.data(), nCount); } } } |