From 9bee38c95b2c426d3c87a30d34172aca352f0141 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 3 Aug 2017 14:37:30 +0100
Subject: ofz#2846 null deref
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I88b61d7a4faaed118db8df6f99cef08310c1f2eb
Reviewed-on: https://gerrit.libreoffice.org/40724
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 hwpfilter/source/hwpread.cxx | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'hwpfilter/source')

diff --git a/hwpfilter/source/hwpread.cxx b/hwpfilter/source/hwpread.cxx
index 7e01d896581f..8b0c877c1f98 100644
--- a/hwpfilter/source/hwpread.cxx
+++ b/hwpfilter/source/hwpread.cxx
@@ -428,6 +428,13 @@ bool Picture::Read(HWPFile & hwpf)
     UpdateBBox(this);
     if( pictype != PICTYPE_DRAW )
         style.cell = reserved3;
+    else
+    {
+        //picinfo.picun read above is unioned with
+        //picinfo.picdraw and so wrote to the hdo pointer
+        //value, which is definitely not useful to us
+        picinfo.picdraw.hdo = nullptr;
+    }
 
     if (follow_block_size != 0)
     {
-- 
cgit