detect corrupted job setup

Change-Id: I0d3b4850c3d4c015a0a7e5d36d87113a749c7e0f Reviewed-on: https://gerrit.libreoffice.org/42383 Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2017-09-17 17:38:39 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2017-09-17 21:44:50 +0200
commit: dd5868409ae430f9c9ffea18ea7e287a65cfa2ab (patch)
tree: b4ed019bdb21cf6b662a5593001a20eaddffd192 /vcl
parent: 1ebf34c67142d1a36923ad6511301fb4b7458edd (diff)
1 files changed, 15 insertions, 7 deletions
diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
index 3117cee7f574..dfe238e47fb5 100644
--- a/vcl/source/gdi/jobset.cxx
+++ b/vcl/source/gdi/jobset.cxx
@@ -236,7 +236,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
 
         sal_uInt16 nSystem = 0;
         rIStream.ReadUInt16( nSystem );
-        const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
+        size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
         if (nRead > rIStream.remainingSize())
         {
             SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
@@ -245,7 +245,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
         }
         sal_uInt64 const nFirstPos = rIStream.Tell();
         std::unique_ptr<char[]> pTempBuf(new char[nRead]);
-        rIStream.ReadBytes(pTempBuf.get(), nRead);
+        nRead = rIStream.ReadBytes(pTempBuf.get(), nRead);
         if (nRead >= sizeof(ImplOldJobSetupData))
         {
             ImplOldJobSetupData* pData = reinterpret_cast<ImplOldJobSetupData*>(pTempBuf.get());
@@ -275,11 +275,19 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
                 rJobData.SetPaperHeight( (long)SVBT32ToUInt32( pOldJobData->nPaperHeight ) );
                 if ( rJobData.GetDriverDataLen() )
                 {
-                    const sal_uInt8* pDriverData = reinterpret_cast<sal_uInt8*>(pOldJobData) + nOldJobDataSize;
-                    sal_uInt8* pNewDriverData = static_cast<sal_uInt8*>(
-                        rtl_allocateMemory( rJobData.GetDriverDataLen() ));
-                    memcpy( pNewDriverData, pDriverData, rJobData.GetDriverDataLen() );
-                    rJobData.SetDriverData( pNewDriverData );
+                    const char* pDriverData = reinterpret_cast<const char*>(pOldJobData) + nOldJobDataSize;
+                    const char* pDriverDataEnd = pDriverData + rJobData.GetDriverDataLen();
+                    if (pDriverDataEnd > pTempBuf.get() + nRead)
+                    {
+                        SAL_WARN("vcl", "corrupted job setup");
+                    }
+                    else
+                    {
+                        sal_uInt8* pNewDriverData = static_cast<sal_uInt8*>(
+                            rtl_allocateMemory( rJobData.GetDriverDataLen() ));
+                        memcpy( pNewDriverData, pDriverData, rJobData.GetDriverDataLen() );
+                        rJobData.SetDriverData( pNewDriverData );
+                    }
                 }
                 if( nSystem == JOBSET_FILE605_SYSTEM )
                 {
author	Caolán McNamara <caolanm@redhat.com>	2017-09-17 17:38:39 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2017-09-17 21:44:50 +0200
commit	dd5868409ae430f9c9ffea18ea7e287a65cfa2ab (patch)
tree	b4ed019bdb21cf6b662a5593001a20eaddffd192 /vcl
parent	1ebf34c67142d1a36923ad6511301fb4b7458edd (diff)