another avoid endless loop with busted wmf

Change-Id: Ie4068fdc1e54e0ad3e55354938a4c5e1459e7fe0 (cherry picked from commit 7ffe6aebb44ed3f7b5fd1ffe3ccfccf0f61984b3) Reviewed-on: https://gerrit.libreoffice.org/17683 Reviewed-by: David Tardon <dtardon@redhat.com> Tested-by: David Tardon <dtardon@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-08-12 16:30:21 +0100
committer: Andras Timar <andras.timar@collabora.com> 2015-08-20 20:34:04 +0200
commit: d1afeb911fe9fb263f78c2ae60d522a7f3119985 (patch)
tree: 386cc1d593b256780e93efe94015223d096cf91b /vcl
parent: 2e9d9091097af973e7bf7a644eb9b990a84011e9 (diff)
2 files changed, 4 insertions, 3 deletions
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf
new file mode 100644
index 000000000000..f8f153896c7c
--- /dev/null
+++ b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf
diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx
index 63e41046eab1..8e19bc238872 100644
--- a/vcl/source/filter/wmf/enhwmf.cxx
+++ b/vcl/source/filter/wmf/enhwmf.cxx
@@ -637,14 +637,15 @@ bool EnhWMFReader::ReadEnhWMF()
             break;
         }
 
-        nNextPos = pWMF->Tell() + ( nRecSize - 8 );
-
-        if ( !pWMF->good() || nNextPos > nEndPos )
+        const sal_uInt32 nMaxPossibleRecSize = nEndPos - pWMF->Tell() + 8;
+        if (nRecSize > nMaxPossibleRecSize)
         {
             bStatus = false;
             break;
         }
 
+        nNextPos = pWMF->Tell() + ( nRecSize - 8 );
+
         if(  !aBmpSaveList.empty()
           && ( nRecType != EMR_STRETCHBLT )
           && ( nRecType != EMR_STRETCHDIBITS )
author	Caolán McNamara <caolanm@redhat.com>	2015-08-12 16:30:21 +0100
committer	Andras Timar <andras.timar@collabora.com>	2015-08-20 20:34:04 +0200
commit	d1afeb911fe9fb263f78c2ae60d522a7f3119985 (patch)
tree	386cc1d593b256780e93efe94015223d096cf91b /vcl
parent	2e9d9091097af973e7bf7a644eb9b990a84011e9 (diff)