ofz#463 unable to mmap

Change-Id: I509faeda019f42bbe7cdc5fc249f2ea2076bb702
Reviewed-on: https://gerrit.libreoffice.org/33519
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

2 files changed, 10 insertions, 1 deletions

diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index 15de1638f1d2..3ef9692b106a 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -1110,7 +1110,7 @@ MetaTextArrayAction::MetaTextArrayAction( const Point& rStartPt,
 {
     const sal_Int32 nAryLen = pDXAry ? mnLen : 0;
 
-    if( nAryLen )
+    if (nAryLen > 0)
     {
         mpDXAry.reset( new long[ nAryLen ] );
         memcpy( mpDXAry.get(), pDXAry, nAryLen * sizeof(long) );
diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx
index 2fba137c6f58..9d963f457dc2 100644
--- a/vcl/source/gdi/svmconverter.cxx
+++ b/vcl/source/gdi/svmconverter.cxx
@@ -905,6 +905,15 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
                     std::unique_ptr<long[]> pDXAry;
                     if (nAryLen > 0)
                     {
+                        const size_t nMinRecordSize = sizeof(sal_Int32);
+                        const size_t nMaxRecords = rIStm.remainingSize() / nMinRecordSize;
+                        if (static_cast<sal_uInt32>(nAryLen) > nMaxRecords)
+                        {
+                            SAL_WARN("vcl.gdi", "Parsing error: " << nMaxRecords <<
+                                     " max possible entries, but " << nAryLen << " claimed, truncating");
+                            nAryLen = nMaxRecords;
+                        }
+
                         sal_Int32 nStrLen( aStr.getLength() );
 
                         pDXAry.reset(new long[ std::max( nAryLen, nStrLen ) ]);