From e897f9d74d0210c500fda918e891f3b3499518c7 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Sun, 29 Jan 2017 20:54:56 +0000
Subject: Resolves: ofz#488 check remaining size while parsing

Change-Id: Ibb2b6c59a159f9fafa6a065be438b59a6d2d3f21
---
 filter/source/graphicfilter/ieps/ieps.cxx | 88 ++++++++++++++++++++-----------
 1 file changed, 57 insertions(+), 31 deletions(-)

(limited to 'filter')

diff --git a/filter/source/graphicfilter/ieps/ieps.cxx b/filter/source/graphicfilter/ieps/ieps.cxx
index 41802f86a2cd..af4ab68457ea 100644
--- a/filter/source/graphicfilter/ieps/ieps.cxx
+++ b/filter/source/graphicfilter/ieps/ieps.cxx
@@ -466,7 +466,6 @@ void MakePreview(sal_uInt8* pBuf, sal_uInt32 nBytesRead,
     pVDev->SetFillColor();
 
     aFont.SetColor( COL_LIGHTRED );
-//  aFont.SetSize( Size( 0, 32 ) );
 
     pVDev->Push( PushFlags::FONT );
     pVDev->SetFont( aFont );
@@ -477,54 +476,81 @@ void MakePreview(sal_uInt8* pBuf, sal_uInt32 nBytesRead,
     OUString aString;
     int nLen;
     sal_uInt8* pDest = ImplSearchEntry( pBuf, reinterpret_cast<sal_uInt8 const *>("%%Title:"), nBytesRead - 32, 8 );
-    if ( pDest )
+    sal_uInt32 nRemainingBytes = pDest ? (nBytesRead - (pDest - pBuf)) : 0;
+    if (nRemainingBytes >= 8)
     {
         pDest += 8;
-        if ( *pDest == ' ' )
-            pDest++;
-        nLen = ImplGetLen( pDest, 32 );
-        sal_uInt8 aOldValue(pDest[ nLen ]); pDest[ nLen ] = 0;
-        if ( strcmp( reinterpret_cast<char*>(pDest), "none" ) != 0 )
+        nRemainingBytes -= 8;
+        if (nRemainingBytes && *pDest == ' ')
         {
-            const char* pStr = reinterpret_cast<char*>(pDest);
-            aString += " Title:" + OUString(pStr, strlen(pStr), RTL_TEXTENCODING_ASCII_US) + "\n";
+            ++pDest;
+            --nRemainingBytes;
+        }
+        nLen = ImplGetLen(pDest, std::min<sal_uInt32>(nRemainingBytes, 32));
+        if (static_cast<sal_uInt32>(nLen) < nRemainingBytes)
+        {
+            sal_uInt8 aOldValue(pDest[ nLen ]); pDest[ nLen ] = 0;
+            if ( strcmp( reinterpret_cast<char*>(pDest), "none" ) != 0 )
+            {
+                const char* pStr = reinterpret_cast<char*>(pDest);
+                aString += " Title:" + OUString(pStr, strlen(pStr), RTL_TEXTENCODING_ASCII_US) + "\n";
+            }
+            pDest[ nLen ] = aOldValue;
         }
-        pDest[ nLen ] = aOldValue;
     }
     pDest = ImplSearchEntry( pBuf, reinterpret_cast<sal_uInt8 const *>("%%Creator:"), nBytesRead - 32, 10 );
-    if ( pDest )
+    nRemainingBytes = pDest ? (nBytesRead - (pDest - pBuf)) : 0;
+    if (nRemainingBytes >= 10)
     {
         pDest += 10;
-        if ( *pDest == ' ' )
-            pDest++;
-        nLen = ImplGetLen( pDest, 32 );
-        sal_uInt8 aOldValue(pDest[ nLen ]); pDest[ nLen ] = 0;
-        const char* pStr = reinterpret_cast<char*>(pDest);
-        aString += " Creator:" + OUString(pStr, strlen(pStr), RTL_TEXTENCODING_ASCII_US) + "\n";
-        pDest[ nLen ] = aOldValue;
+        nRemainingBytes -= 10;
+        if (nRemainingBytes && *pDest == ' ')
+        {
+            ++pDest;
+            --nRemainingBytes;
+        }
+        nLen = ImplGetLen(pDest, std::min<sal_uInt32>(nRemainingBytes, 32));
+        if (static_cast<sal_uInt32>(nLen) < nRemainingBytes)
+        {
+            sal_uInt8 aOldValue(pDest[nLen]); pDest[nLen] = 0;
+            const char* pStr = reinterpret_cast<char*>(pDest);
+            aString += " Creator:" + OUString(pStr, strlen(pStr), RTL_TEXTENCODING_ASCII_US) + "\n";
+            pDest[nLen] = aOldValue;
+        }
     }
     pDest = ImplSearchEntry( pBuf, reinterpret_cast<sal_uInt8 const *>("%%CreationDate:"), nBytesRead - 32, 15 );
-    if ( pDest )
+    nRemainingBytes = pDest ? (nBytesRead - (pDest - pBuf)) : 0;
+    if (nRemainingBytes >= 15)
     {
         pDest += 15;
-        if ( *pDest == ' ' )
-            pDest++;
-        nLen = ImplGetLen( pDest, 32 );
-        sal_uInt8 aOldValue(pDest[ nLen ]); pDest[ nLen ] = 0;
-        if ( strcmp( reinterpret_cast<char*>(pDest), "none" ) != 0 )
+        nRemainingBytes -= 15;
+        if (nRemainingBytes && *pDest == ' ')
         {
-            const char* pStr = reinterpret_cast<char*>(pDest);
-            aString += " CreationDate:" + OUString(pStr, strlen(pStr), RTL_TEXTENCODING_ASCII_US) + "\n";
+            ++pDest;
+            --nRemainingBytes;
+        }
+        nLen = ImplGetLen(pDest, std::min<sal_uInt32>(nRemainingBytes, 32));
+        if (static_cast<sal_uInt32>(nLen) < nRemainingBytes)
+        {
+            sal_uInt8 aOldValue(pDest[ nLen ]); pDest[ nLen ] = 0;
+            if ( strcmp( reinterpret_cast<char*>(pDest), "none" ) != 0 )
+            {
+                aString += " CreationDate:" + OUString::createFromAscii( reinterpret_cast<char*>(pDest) ) + "\n";
+                const char* pStr = reinterpret_cast<char*>(pDest);
+                aString += " CreationDate:" + OUString(pStr, strlen(pStr), RTL_TEXTENCODING_ASCII_US) + "\n";
+            }
+            pDest[ nLen ] = aOldValue;
         }
-        pDest[ nLen ] = aOldValue;
     }
     pDest = ImplSearchEntry( pBuf, reinterpret_cast<sal_uInt8 const *>("%%LanguageLevel:"), nBytesRead - 4, 16 );
-    if ( pDest )
+    nRemainingBytes = pDest ? (nBytesRead - (pDest - pBuf)) : 0;
+    if (nRemainingBytes >= 16)
     {
         pDest += 16;
-        sal_uInt32 nCount = 4;
-        long nNumber = ImplGetNumber(pDest, nCount);
-        if ( nCount && ( (sal_uInt32)nNumber < 10 ) )
+        nRemainingBytes -= 16;
+        sal_uInt32 nCount = std::min<sal_uInt32>(nRemainingBytes, 4U);
+        sal_uInt32 nNumber = ImplGetNumber(pDest, nCount);
+        if (nCount && nNumber < 10)
         {
             aString += " LanguageLevel:" + OUString::number( nNumber );
         }
-- 
cgit