ofz#7165 set a recursion limit for svm in svm

Change-Id: Id9089986012588690b6d5e33cd71d094ef2357dd
Reviewed-on: https://gerrit.libreoffice.org/51984
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
(cherry picked from commit fc6e9a715c74b2ff74ff9370fe5f5a29e20be8cd)

3 files changed, 38 insertions, 6 deletions

diff --git a/vcl/qa/cppunit/graphicfilter/data/svm/fail/ofz7165-1.svm b/vcl/qa/cppunit/graphicfilter/data/svm/fail/ofz7165-1.svm
new file mode 100644
index 000000000000..ad722ea13a6c
--- /dev/null
+++ b/vcl/qa/cppunit/graphicfilter/data/svm/fail/ofz7165-1.svm
diff --git a/vcl/source/gdi/gdimtf.cxx b/vcl/source/gdi/gdimtf.cxx
index 74bdd0747026..42470ef738e6 100644
--- a/vcl/source/gdi/gdimtf.cxx
+++ b/vcl/source/gdi/gdimtf.cxx
@@ -2667,7 +2667,31 @@ sal_uLong GDIMetaFile::GetSizeBytes() const
     return nSizeBytes;
 }
 
-SvStream& ReadGDIMetaFile( SvStream& rIStm, GDIMetaFile& rGDIMetaFile )
+namespace
+{
+    class DepthGuard
+    {
+    private:
+        ImplMetaReadData& m_rData;
+        rtl_TextEncoding m_eOrigCharSet;
+    public:
+        DepthGuard(ImplMetaReadData& rData, SvStream& rIStm)
+            : m_rData(rData)
+            , m_eOrigCharSet(m_rData.meActualCharSet)
+        {
+            ++m_rData.mnParseDepth;
+            m_rData.meActualCharSet = rIStm.GetStreamCharSet();
+        }
+        bool TooDeep() const { return m_rData.mnParseDepth > 1024; }
+        ~DepthGuard()
+        {
+            --m_rData.mnParseDepth;
+            m_rData.meActualCharSet = m_eOrigCharSet;
+        }
+    };
+}
+
+SvStream& ReadGDIMetaFile(SvStream& rIStm, GDIMetaFile& rGDIMetaFile, ImplMetaReadData* pData)
 {
     if( !rIStm.GetError() )
     {
@@ -2695,12 +2719,20 @@ SvStream& ReadGDIMetaFile( SvStream& rIStm, GDIMetaFile& rGDIMetaFile )
 
             pCompat.reset(); // destructor writes stuff into the header
 
-            ImplMetaReadData aReadData;
-            aReadData.meActualCharSet = rIStm.GetStreamCharSet();
+            std::unique_ptr<ImplMetaReadData> xReadData;
+            if (!pData)
+            {
+                xReadData.reset(new ImplMetaReadData);
+                pData = xReadData.get();
+            }
+            DepthGuard aDepthGuard(*pData, rIStm);
+
+            if (aDepthGuard.TooDeep())
+                throw std::runtime_error("too much recursion");
 
             for( sal_uInt32 nAction = 0UL; ( nAction < nCount ) && !rIStm.IsEof(); nAction++ )
             {
-                MetaAction* pAction = MetaAction::ReadMetaAction( rIStm, &aReadData );
+                MetaAction* pAction = MetaAction::ReadMetaAction(rIStm, pData);
                 if( pAction )
                 {
                     if (pAction->GetType() == MetaActionType::COMMENT)
diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index b8169cdb2553..87da241ac7f3 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -3050,10 +3050,10 @@ void MetaFloatTransparentAction::Write( SvStream& rOStm, ImplMetaWriteData* pDat
     WriteGradient( rOStm, maGradient );
 }
 
-void MetaFloatTransparentAction::Read( SvStream& rIStm, ImplMetaReadData* )
+void MetaFloatTransparentAction::Read(SvStream& rIStm, ImplMetaReadData* pData)
 {
     VersionCompat aCompat(rIStm, StreamMode::READ);
-    ReadGDIMetaFile( rIStm, maMtf );
+    ReadGDIMetaFile(rIStm, maMtf, pData);
     ReadPair( rIStm, maPoint );
     ReadPair( rIStm, maSize );
     ReadGradient( rIStm, maGradient );