don't loop on overly-short nEndPos

Change-Id: I60d3388ece28a69c31a85b9e3b495cbe8a03e7dc (cherry picked from commit 42732d255423700461f4abadfed77d89efa9cdd0) Reviewed-on: https://gerrit.libreoffice.org/18084 Reviewed-by: Michael Meeks <michael.meeks@collabora.com> Tested-by: Michael Meeks <michael.meeks@collabora.com>
author: Caolán McNamara <caolanm@redhat.com> 2015-08-27 20:20:01 +0100
committer: Michael Meeks <michael.meeks@collabora.com> 2015-08-28 11:29:16 +0000
commit: 4970009499a5dfb634b25dc144ee35bac0cf9d31 (patch)
tree: ec61b9b285a3a0fb40901c81c106b73c1770efbc /vcl
parent: 1bfbdeb07c0d4059f08bf1c295a465482e9ef3a5 (diff)
2 files changed, 14 insertions, 5 deletions
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-3.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-3.wmf
new file mode 100644
index 000000000000..80ad7959bd46
--- /dev/null
+++ b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-3.wmf
diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx
index 1b8dc0d45f6f..578fc0afb989 100644
--- a/vcl/source/filter/wmf/enhwmf.cxx
+++ b/vcl/source/filter/wmf/enhwmf.cxx
@@ -617,7 +617,7 @@ void EnhWMFReader::ReadAndDrawPolyPolygon()
 bool EnhWMFReader::ReadEnhWMF()
 {
     sal_uInt32  nStretchBltMode = 0;
-    sal_uInt32  nRecType(0), nRecSize(0), nNextPos(0),
+    sal_uInt32  nNextPos(0),
                 nW(0), nH(0), nColor(0), nIndex(0),
                 nDat32(0), nNom1(0), nDen1(0), nNom2(0), nDen2(0);
     sal_Int32   nX32(0), nY32(0), nx32(0), ny32(0);
@@ -629,7 +629,8 @@ bool EnhWMFReader::ReadEnhWMF()
 
     while( bStatus && nRecordCount-- && pWMF->good())
     {
-        pWMF->ReadUInt32( nRecType ).ReadUInt32( nRecSize );
+        sal_uInt32  nRecType(0), nRecSize(0);
+        pWMF->ReadUInt32(nRecType).ReadUInt32(nRecSize);
 
         if ( !pWMF->good() || ( nRecSize < 8 ) || ( nRecSize & 3 ) )     // Parameters are always divisible by 4
         {
@@ -637,14 +638,22 @@ bool EnhWMFReader::ReadEnhWMF()
             break;
         }
 
-        const sal_uInt32 nMaxPossibleRecSize = nEndPos - pWMF->Tell() + 8;
+        auto nCurPos = pWMF->Tell();
+
+        if (nEndPos < nCurPos - 8)
+        {
+            bStatus = false;
+            break;
+        }
+
+        const sal_uInt32 nMaxPossibleRecSize = nEndPos - (nCurPos - 8);
         if (nRecSize > nMaxPossibleRecSize)
         {
             bStatus = false;
             break;
         }
 
-        nNextPos = pWMF->Tell() + ( nRecSize - 8 );
+        nNextPos = nCurPos + (nRecSize - 8);
 
         if(  !aBmpSaveList.empty()
           && ( nRecType != EMR_STRETCHBLT )
@@ -1407,7 +1416,7 @@ bool EnhWMFReader::ReadEnhWMF()
                 case EMR_EXTTEXTOUTW :
                 {
                     sal_Int32   nLeft, nTop, nRight, nBottom, ptlReferenceX, ptlReferenceY, nGfxMode, nXScale, nYScale;
-                    sal_uInt32  nCurPos, nOffString, nOptions, offDx;
+                    sal_uInt32  nOffString, nOptions, offDx;
                     sal_Int32   nLen;
                     std::vector<long> aDX;
author	Caolán McNamara <caolanm@redhat.com>	2015-08-27 20:20:01 +0100
committer	Michael Meeks <michael.meeks@collabora.com>	2015-08-28 11:29:16 +0000
commit	4970009499a5dfb634b25dc144ee35bac0cf9d31 (patch)
tree	ec61b9b285a3a0fb40901c81c106b73c1770efbc /vcl
parent	1bfbdeb07c0d4059f08bf1c295a465482e9ef3a5 (diff)