From af45b3d48e3a027c14317db944a8d67de063352f Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Sun, 2 Apr 2017 12:03:38 +0100
Subject: ofz: more check bounds on read

Change-Id: I92b10aeab34cb6a78deff1d4b54545c8f506113c
---
 filter/source/graphicfilter/icgm/cgm.cxx    |  8 ++++----
 filter/source/graphicfilter/icgm/class1.cxx | 13 +++++++------
 filter/source/graphicfilter/icgm/class4.cxx |  6 +++---
 3 files changed, 14 insertions(+), 13 deletions(-)

(limited to 'filter/source/graphicfilter')

diff --git a/filter/source/graphicfilter/icgm/cgm.cxx b/filter/source/graphicfilter/icgm/cgm.cxx
index 8caba71e88a0..6f0d171abfa5 100644
--- a/filter/source/graphicfilter/icgm/cgm.cxx
+++ b/filter/source/graphicfilter/icgm/cgm.cxx
@@ -99,7 +99,7 @@ sal_uInt32 CGM::GetBackGroundColor()
 sal_uInt32 CGM::ImplGetUI16( sal_uInt32 /*nAlign*/ )
 {
     sal_uInt8* pSource = mpSource + mnParaSize;
-    if (pSource + 2 > mpEndValidSource)
+    if (mpEndValidSource - pSource < 2)
         throw css::uno::Exception("attempt to read past end of input", nullptr);
     mnParaSize += 2;
     return ( pSource[ 0 ] << 8 ) +  pSource[ 1 ];
@@ -113,7 +113,7 @@ sal_uInt8 CGM::ImplGetByte( sal_uInt32 nSource, sal_uInt32 nPrecision )
 sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision )
 {
     sal_uInt8* pSource = mpSource + mnParaSize;
-    if (pSource + nPrecision > mpEndValidSource)
+    if (mpEndValidSource - pSource < nPrecision)
         throw css::uno::Exception("attempt to read past end of input", nullptr);
     mnParaSize += nPrecision;
     switch( nPrecision )
@@ -145,7 +145,7 @@ sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision )
 sal_uInt32 CGM::ImplGetUI( sal_uInt32 nPrecision )
 {
     sal_uInt8* pSource = mpSource + mnParaSize;
-    if (pSource + nPrecision > mpEndValidSource)
+    if (mpEndValidSource - pSource < nPrecision)
         throw css::uno::Exception("attempt to read past end of input", nullptr);
     mnParaSize += nPrecision;
     switch( nPrecision )
@@ -200,7 +200,7 @@ double CGM::ImplGetFloat( RealPrecision eRealPrecision, sal_uInt32 nRealSize )
     const bool bCompatible = false;
 #endif
 
-    if (mpSource + mnParaSize + nRealSize > mpEndValidSource)
+    if (mpEndValidSource - (mpSource + mnParaSize) < nRealSize)
         throw css::uno::Exception("attempt to read past end of input", nullptr);
 
     if ( bCompatible )
diff --git a/filter/source/graphicfilter/icgm/class1.cxx b/filter/source/graphicfilter/icgm/class1.cxx
index 641355924f74..4d41add2448c 100644
--- a/filter/source/graphicfilter/icgm/class1.cxx
+++ b/filter/source/graphicfilter/icgm/class1.cxx
@@ -176,8 +176,11 @@ void CGM::ImplDoClass1()
         {
             while ( mnParaSize < mnElementSize )
             {
-                sal_uInt32 nSize;
-                nSize = ImplGetUI( 1 );
+                sal_uInt32 nSize = ImplGetUI(1);
+
+                if (mpEndValidSource - (mpSource + mnParaSize) < nSize)
+                    throw css::uno::Exception("attempt to read past end of input", nullptr);
+
                 pElement->aFontList.InsertName( mpSource + mnParaSize, nSize );
                 mnParaSize += nSize;
             }
@@ -187,10 +190,8 @@ void CGM::ImplDoClass1()
         {
             while ( mnParaSize < mnElementSize )
             {
-                sal_uInt32 nCharSetType;
-                sal_uInt32 nSize;
-                nCharSetType = ImplGetUI16();
-                nSize = ImplGetUI( 1 );
+                sal_uInt32 nCharSetType = ImplGetUI16();
+                sal_uInt32 nSize = ImplGetUI(1);
                 pElement->aFontList.InsertCharSet( (CharSetType)nCharSetType, mpSource + mnParaSize, nSize );
                 mnParaSize += nSize;
             }
diff --git a/filter/source/graphicfilter/icgm/class4.cxx b/filter/source/graphicfilter/icgm/class4.cxx
index d8397a26395c..f1cf2881a4fc 100644
--- a/filter/source/graphicfilter/icgm/class4.cxx
+++ b/filter/source/graphicfilter/icgm/class4.cxx
@@ -186,7 +186,7 @@ void CGM::ImplDoClass4()
                 sal_uInt32 nType = ImplGetUI16( 4 );
                 sal_uInt32 nSize = ImplGetUI( 1 );
 
-                if (mpSource + mnParaSize + nSize > mpEndValidSource)
+                if (mpEndValidSource - (mpSource + mnParaSize) < nSize)
                     throw css::uno::Exception("attempt to read past end of input", nullptr);
 
                 mpSource[mnParaSize + nSize] = 0;
@@ -224,7 +224,7 @@ void CGM::ImplDoClass4()
                 sal_uInt32 nType = ImplGetUI16(4);
                 sal_uInt32 nSize = ImplGetUI(1);
 
-                if (mpSource + mnParaSize + nSize > mpEndValidSource)
+                if (mpEndValidSource - (mpSource + mnParaSize) < nSize)
                     throw css::uno::Exception("attempt to read past end of input", nullptr);
 
                 mpSource[ mnParaSize + nSize ] = 0;
@@ -242,7 +242,7 @@ void CGM::ImplDoClass4()
                 sal_uInt32 nType = ImplGetUI16( 4 );
                 sal_uInt32 nSize = ImplGetUI( 1 );
 
-                if (mpSource + mnParaSize + nSize > mpEndValidSource)
+                if (mpEndValidSource - (mpSource + mnParaSize) < nSize)
                     throw css::uno::Exception("attempt to read past end of input", nullptr);
 
                 mpSource[ mnParaSize + nSize ] = 0;
-- 
cgit