diff options
author | Caolán McNamara <caolanm@redhat.com> | 2017-01-25 09:21:25 +0000 |
---|---|---|
committer | David Tardon <dtardon@redhat.com> | 2017-01-25 13:56:12 +0000 |
commit | 6872899cc1716f251988dfb3c86aa04c716cfda4 (patch) | |
tree | 488fe64b85066d06c7ec0f3d9ea51dab98c41502 /vcl | |
parent | 1c8f98a5fd33f02b9af0ce35b1ad0eb091c895d0 (diff) |
ofz#463 unable to mmap
Reviewed-on: https://gerrit.libreoffice.org/33519
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit f6c465bc8e7583a8321f5c881cb008b980e0e3fa)
Change-Id: I509faeda019f42bbe7cdc5fc249f2ea2076bb702
Reviewed-on: https://gerrit.libreoffice.org/33522
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: David Tardon <dtardon@redhat.com>
Diffstat (limited to 'vcl')
-rw-r--r-- | vcl/source/gdi/metaact.cxx | 2 | ||||
-rw-r--r-- | vcl/source/gdi/svmconverter.cxx | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx index 7bfa151fe3ec..ac229f0f3c51 100644 --- a/vcl/source/gdi/metaact.cxx +++ b/vcl/source/gdi/metaact.cxx @@ -1114,7 +1114,7 @@ MetaTextArrayAction::MetaTextArrayAction( const Point& rStartPt, { const sal_Int32 nAryLen = pDXAry ? mnLen : 0; - if( nAryLen ) + if (nAryLen > 0) { mpDXAry = new long[ nAryLen ]; memcpy( mpDXAry, pDXAry, nAryLen * sizeof(long) ); diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx index b1a1c7aedddd..3a6e961c0676 100644 --- a/vcl/source/gdi/svmconverter.cxx +++ b/vcl/source/gdi/svmconverter.cxx @@ -908,6 +908,15 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf ) std::unique_ptr<long[]> pDXAry; if (nAryLen > 0) { + const size_t nMinRecordSize = sizeof(sal_Int32); + const size_t nMaxRecords = rIStm.remainingSize() / nMinRecordSize; + if (static_cast<sal_uInt32>(nAryLen) > nMaxRecords) + { + SAL_WARN("vcl.gdi", "Parsing error: " << nMaxRecords << + " max possible entries, but " << nAryLen << " claimed, truncating"); + nAryLen = nMaxRecords; + } + sal_Int32 nStrLen( aStr.getLength() ); pDXAry.reset(new long[ std::max( nAryLen, nStrLen ) ]); |