summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--vcl/source/gdi/metaact.cxx2
-rw-r--r--vcl/source/gdi/svmconverter.cxx9
2 files changed, 10 insertions, 1 deletions
diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index 047a207381d8..b8169cdb2553 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -1114,7 +1114,7 @@ MetaTextArrayAction::MetaTextArrayAction( const Point& rStartPt,
{
const sal_Int32 nAryLen = pDXAry ? mnLen : 0;
- if( nAryLen )
+ if (nAryLen > 0)
{
mpDXAry = new long[ nAryLen ];
memcpy( mpDXAry, pDXAry, nAryLen * sizeof(long) );
diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx
index 616e5e79918e..d9aae46824f0 100644
--- a/vcl/source/gdi/svmconverter.cxx
+++ b/vcl/source/gdi/svmconverter.cxx
@@ -909,6 +909,15 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
sal_Int32 nDXAryLen = 0;
if (nAryLen > 0)
{
+ const size_t nMinRecordSize = sizeof(sal_Int32);
+ const size_t nMaxRecords = rIStm.remainingSize() / nMinRecordSize;
+ if (static_cast<sal_uInt32>(nAryLen) > nMaxRecords)
+ {
+ SAL_WARN("vcl.gdi", "Parsing error: " << nMaxRecords <<
+ " max possible entries, but " << nAryLen << " claimed, truncating");
+ nAryLen = nMaxRecords;
+ }
+
sal_Int32 nStrLen( aStr.getLength() );
nDXAryLen = std::max(nAryLen, nStrLen);
generated by cgit (git 2.34.1) at 2024-08-12 02:07:44 +0000