diff options
| -rw-r--r-- | basegfx/source/polygon/b2dtrapezoid.cxx | 4 | ||||
| -rwxr-xr-x | vcl/aqua/source/gdi/salatslayout.cxx | 5 | ||||
| -rw-r--r-- | vcl/source/gdi/metaact.cxx | 34 | ||||
| -rw-r--r-- | vcl/source/gdi/pdfwriter_impl.cxx | 9 | ||||
| -rw-r--r-- | vcl/source/gdi/pngread.cxx | 28 |
5 files changed, 57 insertions, 23 deletions
diff --git a/basegfx/source/polygon/b2dtrapezoid.cxx b/basegfx/source/polygon/b2dtrapezoid.cxx index c1e0f7f6c7c1..d89ec7c6cf73 100644 --- a/basegfx/source/polygon/b2dtrapezoid.cxx +++ b/basegfx/source/polygon/b2dtrapezoid.cxx @@ -798,6 +798,7 @@ namespace basegfx if(splitEdgeAtGivenPoint(aLeft, *pNewLeft, aCurrent)) { maNewPoints.push_back(pNewLeft); + bDone = true; } else { @@ -809,13 +810,12 @@ namespace basegfx if(splitEdgeAtGivenPoint(aRight, *pNewRight, aCurrent)) { maNewPoints.push_back(pNewRight); + bDone = true; } else { delete pNewRight; } - - bDone = true; } } diff --git a/vcl/aqua/source/gdi/salatslayout.cxx b/vcl/aqua/source/gdi/salatslayout.cxx index 335505de85ac..a355ff86d00e 100755 --- a/vcl/aqua/source/gdi/salatslayout.cxx +++ b/vcl/aqua/source/gdi/salatslayout.cxx @@ -754,9 +754,10 @@ int ATSLayout::GetTextBreak( long nMaxWidth, long nCharExtra, int nFactor ) cons // initial measurement of text break position UniCharArrayOffset nBreakPos = mnMinCharPos; const ATSUTextMeasurement nATSUMaxWidth = Vcl2Fixed( nPixelWidth ); + if( nATSUMaxWidth <= 0xFFFF ) // #i108584# avoid ATSU rejecting the parameter + return mnMinCharPos; // or do ATSUMaxWidth=0x10000; OSStatus eStatus = ATSUBreakLine( maATSULayout, mnMinCharPos, nATSUMaxWidth, false, &nBreakPos ); - if( (eStatus != noErr) && (eStatus != kATSULineBreakInWord) ) return STRING_LEN; @@ -781,7 +782,7 @@ int ATSLayout::GetTextBreak( long nMaxWidth, long nCharExtra, int nFactor ) cons if( eStatus != noErr ) return nBreakPos; const ATSUTextMeasurement nATSURemWidth = nATSUMaxWidth - (nRight - nLeft); - if( nATSURemWidth <= 0 ) + if( nATSURemWidth <= 0xFFFF ) // #i108584# avoid ATSU rejecting the parameter return nBreakPos; UniCharArrayOffset nBreakPosInWord = nBreakPos; eStatus = ATSUBreakLine( maATSULayout, nBreakPos, nATSURemWidth, false, &nBreakPosInWord ); diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx index 8c1545758c3b..79d875542509 100644 --- a/vcl/source/gdi/metaact.cxx +++ b/vcl/source/gdi/metaact.cxx @@ -1441,19 +1441,35 @@ void MetaTextArrayAction::Read( SvStream& rIStm, ImplMetaReadData* pData ) rIStm >> mnLen; rIStm >> nAryLen; + if ( mnIndex > mnLen ) + { + mnIndex = 0; + mpDXAry = 0; + return; + } + if( nAryLen ) { // #i9762#, #106172# Ensure that DX array is at least mnLen entries long - const ULONG nIntAryLen( Max(nAryLen, static_cast<sal_uInt32>(mnLen)) ); - mpDXAry = new sal_Int32[ nIntAryLen ]; - - ULONG i; - for( i = 0UL; i < nAryLen; i++ ) - rIStm >> mpDXAry[ i ]; + if ( mnLen >= nAryLen ) + { + mpDXAry = new (std::nothrow)sal_Int32[ mnLen ]; + if ( mpDXAry ) + { + ULONG i; + for( i = 0UL; i < nAryLen; i++ ) + rIStm >> mpDXAry[ i ]; - // #106172# setup remainder - for( ; i < nIntAryLen; i++ ) - mpDXAry[ i ] = 0; + // #106172# setup remainder + for( ; i < mnLen; i++ ) + mpDXAry[ i ] = 0; + } + } + else + { + mpDXAry = NULL; + return; + } } else mpDXAry = NULL; diff --git a/vcl/source/gdi/pdfwriter_impl.cxx b/vcl/source/gdi/pdfwriter_impl.cxx index 5d75c829da8a..bf8ca03711b3 100644 --- a/vcl/source/gdi/pdfwriter_impl.cxx +++ b/vcl/source/gdi/pdfwriter_impl.cxx @@ -7403,7 +7403,14 @@ void PDFWriterImpl::drawLayout( SalLayout& rLayout, const String& rText, bool bT // try to handle ligatures and such if( i < nGlyphs-1 ) { - pUnicodesPerGlyph[i] = nChars = pCharPosAry[i+1] - pCharPosAry[i]; + nChars = pCharPosAry[i+1] - pCharPosAry[i]; + // #i115618# fix for simple RTL+CTL cases + // TODO: sanitize for RTL ligatures, more complex CTL, etc. + if( nChars < 0 ) + nChars = -nChars; + else if( nChars == 0 ) + nChars = 1; + pUnicodesPerGlyph[i] = nChars; for( int n = 1; n < nChars; n++ ) aUnicodes.push_back( rText.GetChar( sal::static_int_cast<xub_StrLen>(pCharPosAry[i]+n) ) ); } diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index 11971db34378..df67c4974d47 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -411,7 +411,9 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint ) case PNGCHUNK_IDAT : { - if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes + if ( !mpInflateInBuf ) // taking care that the header has properly been read + mbStatus = FALSE; + else if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes ImplReadIDAT(); } break; @@ -527,7 +529,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) mbIDAT = mbAlphaChannel = mbTransparent = FALSE; mbGrayScale = mbRGBTriple = FALSE; mnTargetDepth = mnPngDepth; - mnScansize = ( ( maOrigSize.Width() * mnPngDepth ) + 7 ) >> 3; + sal_uInt64 nScansize64 = ( ( static_cast< sal_uInt64 >( maOrigSize.Width() ) * mnPngDepth ) + 7 ) >> 3; // valid color types are 0,2,3,4 & 6 switch ( mnColorType ) @@ -557,7 +559,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) case 2 : // each pixel is an RGB triple { mbRGBTriple = TRUE; - mnScansize *= 3; + nScansize64 *= 3; switch ( mnPngDepth ) { case 16 : // we have to reduce the bitmap @@ -590,7 +592,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) case 4 : // each pixel is a grayscale sample followed by an alpha sample { - mnScansize *= 2; + nScansize64 *= 2; mbAlphaChannel = TRUE; switch ( mnPngDepth ) { @@ -608,7 +610,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) case 6 : // each pixel is an RGB triple followed by an alpha sample { mbRGBTriple = TRUE; - mnScansize *= 4; + nScansize64 *= 4; mbAlphaChannel = TRUE; switch (mnPngDepth ) { @@ -626,16 +628,24 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) return FALSE; } - mnBPP = mnScansize / maOrigSize.Width(); + mnBPP = static_cast< sal_uInt32 >( nScansize64 / maOrigSize.Width() ); if ( !mnBPP ) mnBPP = 1; - mnScansize++; // each scanline includes one filterbyte + nScansize64++; // each scanline includes one filterbyte + + if ( nScansize64 > SAL_MAX_UINT32 ) + return FALSE; + + mnScansize = static_cast< sal_uInt32 >( nScansize64 ); // TODO: switch between both scanlines instead of copying - mpInflateInBuf = new BYTE[ mnScansize ]; + mpInflateInBuf = new (std::nothrow) BYTE[ mnScansize ]; mpScanCurrent = mpInflateInBuf; - mpScanPrior = new BYTE[ mnScansize ]; + mpScanPrior = new (std::nothrow) BYTE[ mnScansize ]; + + if ( !mpInflateInBuf || !mpScanPrior ) + return FALSE; // calculate target size from original size and the preview hint if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() ) |