From ecae068befc88fe6aa6f8ca09c8e5c9407c11d89 Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Mon, 17 Jul 2017 13:56:38 +0100 Subject: ofz#2668 fix oom MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: Ie30b24a0ad6395d59afa2f2c96b48f98a33f18a8 Reviewed-on: https://gerrit.libreoffice.org/40064 Tested-by: Jenkins Reviewed-by: Caolán McNamara Tested-by: Caolán McNamara --- hwpfilter/source/hbox.cxx | 1 - hwpfilter/source/hbox.h | 2 +- hwpfilter/source/hwpfile.cxx | 2 +- hwpfilter/source/hwpfile.h | 2 +- hwpfilter/source/hwpread.cxx | 24 ++++++++++++++++++++---- hwpfilter/source/hwpreader.cxx | 8 ++++---- 6 files changed, 27 insertions(+), 12 deletions(-) (limited to 'hwpfilter/source') diff --git a/hwpfilter/source/hbox.cxx b/hwpfilter/source/hbox.cxx index 124ebabd28b8..7520c68c934a 100644 --- a/hwpfilter/source/hbox.cxx +++ b/hwpfilter/source/hbox.cxx @@ -377,7 +377,6 @@ Picture::Picture() , cap_pos(0) , num(0) , pictype(0) - , follow(nullptr) , ishyper(false) { } diff --git a/hwpfilter/source/hbox.h b/hwpfilter/source/hbox.h index 5959e7def4d5..6d3d3f62d051 100644 --- a/hwpfilter/source/hbox.h +++ b/hwpfilter/source/hbox.h @@ -630,7 +630,7 @@ struct Picture: public FBox /** * It's for the Drawing object */ - std::unique_ptr follow; /* When the type of image is drawing, gives additional information. */ + std::vector follow; /* When the type of image is drawing, gives additional information. */ bool ishyper; diff --git a/hwpfilter/source/hwpfile.cxx b/hwpfilter/source/hwpfile.cxx index 00c45475fdf1..8507b5056e20 100644 --- a/hwpfilter/source/hwpfile.cxx +++ b/hwpfilter/source/hwpfile.cxx @@ -169,7 +169,7 @@ bool HWPFile::Read4b(int &out) return true; } -int HWPFile::Read1b(void *ptr, size_t nmemb) +size_t HWPFile::Read1b(void *ptr, size_t nmemb) { return hiodev ? hiodev->read1b(ptr, nmemb) : 0; } diff --git a/hwpfilter/source/hwpfile.h b/hwpfilter/source/hwpfile.h index d58faa569a7b..e86d5bd60663 100644 --- a/hwpfilter/source/hwpfile.h +++ b/hwpfilter/source/hwpfile.h @@ -138,7 +138,7 @@ class DLLEXPORT HWPFile /** * Reads nmemb byte array from HIODev */ - int Read1b( void *ptr, size_t nmemb ); + size_t Read1b(void *ptr, size_t nmemb); /** * Reads nmemb short type array from HIODev */ diff --git a/hwpfilter/source/hwpread.cxx b/hwpfilter/source/hwpread.cxx index 69b09ebc42d8..7e01d896581f 100644 --- a/hwpfilter/source/hwpread.cxx +++ b/hwpfilter/source/hwpread.cxx @@ -431,19 +431,35 @@ bool Picture::Read(HWPFile & hwpf) if (follow_block_size != 0) { - follow.reset( new unsigned char[follow_block_size] ); + follow.clear(); + + //read potentially compressed data in blocks as its more + //likely large values are simply broken and we'll run out + //of data before we need to realloc + for (size_t i = 0; i < follow_block_size; i+= SAL_MAX_UINT16) + { + size_t nOldSize = follow.size(); + size_t nBlock = std::min(SAL_MAX_UINT16, follow_block_size - nOldSize); + follow.resize(nOldSize + nBlock); + size_t nReadBlock = hwpf.Read1b(follow.data() + nOldSize, nBlock); + if (nBlock != nReadBlock) + { + follow.resize(nOldSize + nReadBlock); + break; + } + } + follow_block_size = follow.size(); - hwpf.Read1b(follow.get(), follow_block_size); if (pictype == PICTYPE_DRAW) { - hmem = new HMemIODev(reinterpret_cast(follow.get()), follow_block_size); + hmem = new HMemIODev(reinterpret_cast(follow.data()), follow_block_size); LoadDrawingObjectBlock(this); style.cell = picinfo.picdraw.hdo; delete hmem; hmem = nullptr; } - else + else if (follow_block_size >= 4) { if ((follow[3] << 24 | follow[2] << 16 | follow[1] << 8 | follow[0]) == 0x269) { diff --git a/hwpfilter/source/hwpreader.cxx b/hwpfilter/source/hwpreader.cxx index 3f32c3b47c9b..29a884521265 100644 --- a/hwpfilter/source/hwpreader.cxx +++ b/hwpfilter/source/hwpreader.cxx @@ -3827,16 +3827,16 @@ void HwpReader::makePicture(Picture * hbox) padd("xlink:type", sXML_CDATA, "simple"); #ifdef _WIN32 if( hbox->follow[4] != 0 ) - padd("xlink:href", sXML_CDATA, reinterpret_cast(hconv(kstr2hstr(hbox->follow.get() + 4).c_str()))); + padd("xlink:href", sXML_CDATA, reinterpret_cast(hconv(kstr2hstr(hbox->follow.data() + 4).c_str()))); else - padd("xlink:href", sXML_CDATA, reinterpret_cast(hconv(kstr2hstr(hbox->follow.get() + 5).c_str()))); + padd("xlink:href", sXML_CDATA, reinterpret_cast(hconv(kstr2hstr(hbox->follow.data() + 5).c_str()))); #else if( hbox->follow[4] != 0 ) padd("xlink:href", sXML_CDATA, - reinterpret_cast(hconv(kstr2hstr(reinterpret_cast(urltounix(reinterpret_cast(hbox->follow.get() + 4)).c_str())).c_str()))); + reinterpret_cast(hconv(kstr2hstr(reinterpret_cast(urltounix(reinterpret_cast(hbox->follow.data() + 4)).c_str())).c_str()))); else padd("xlink:href", sXML_CDATA, - reinterpret_cast(hconv(kstr2hstr(reinterpret_cast(urltounix(reinterpret_cast(hbox->follow.get() + 5)).c_str())).c_str()))); + reinterpret_cast(hconv(kstr2hstr(reinterpret_cast(urltounix(reinterpret_cast(hbox->follow.data() + 5)).c_str())).c_str()))); #endif rstartEl("draw:a", mxList.get()); mxList->clear(); -- cgit