From f400e883044143f999c460375a293647b4a57244 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Fri, 1 Jan 2021 19:17:30 +0000
Subject: ofz#29151 short read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I908d19903ff0b16f5c6a87b8aa989b6a410a7b3a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108563
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
---
 filter/source/msfilter/msdffimp.cxx  |  10 ++++++----
 sd/qa/unit/data/ppt/fail/hang-19.ppt | Bin 7680 -> 0 bytes
 sd/qa/unit/data/ppt/pass/hang-19.ppt | Bin 0 -> 7680 bytes
 3 files changed, 6 insertions(+), 4 deletions(-)
 delete mode 100644 sd/qa/unit/data/ppt/fail/hang-19.ppt
 create mode 100644 sd/qa/unit/data/ppt/pass/hang-19.ppt

diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx
index bed7bdcc283d..442509617f91 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -4183,9 +4183,11 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r
     if( maShapeRecords.SeekToContent( rSt,
         DFF_msofbtUDefProp ) )
     {
-        sal_uInt32  nBytesLeft = maShapeRecords.Current()->nRecLen;
+        sal_uInt32 nBytesLeft = maShapeRecords.Current()->nRecLen;
         while( 5 < nBytesLeft )
         {
+            if (rSt.remainingSize() < 6)
+                break;
             sal_uInt16 nPID(0);
             rSt.ReadUInt16(nPID);
             if (!rSt.good())
@@ -4199,11 +4201,11 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r
                 mbRotateGranientFillWithAngle = nUDData & 0x20;
                 break;
             }
-            nBytesLeft  -= 6;
+            nBytesLeft -= 6;
         }
     }
     aObjData.bShapeType = maShapeRecords.SeekToContent( rSt, DFF_msofbtSp );
-    if ( aObjData.bShapeType )
+    if (aObjData.bShapeType && rSt.remainingSize() >= 8)
     {
         sal_uInt32 temp;
         rSt.ReadUInt32( aObjData.nShapeId )
@@ -4247,7 +4249,7 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r
     }
 
     aObjData.bChildAnchor = maShapeRecords.SeekToContent( rSt, DFF_msofbtChildAnchor, SEEK_FROM_CURRENT_AND_RESTART );
-    if ( aObjData.bChildAnchor )
+    if (aObjData.bChildAnchor && rSt.remainingSize() >= 16)
     {
         sal_Int32 l(0), o(0), r(0), u(0);
         rSt.ReadInt32( l ).ReadInt32( o ).ReadInt32( r ).ReadInt32( u );
diff --git a/sd/qa/unit/data/ppt/fail/hang-19.ppt b/sd/qa/unit/data/ppt/fail/hang-19.ppt
deleted file mode 100644
index 942a58a66c5d..000000000000
Binary files a/sd/qa/unit/data/ppt/fail/hang-19.ppt and /dev/null differ
diff --git a/sd/qa/unit/data/ppt/pass/hang-19.ppt b/sd/qa/unit/data/ppt/pass/hang-19.ppt
new file mode 100644
index 000000000000..942a58a66c5d
Binary files /dev/null and b/sd/qa/unit/data/ppt/pass/hang-19.ppt differ
-- 
cgit