From 444477a07bcaf59181dbbc719b913566091deadc Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 13 Jan 2022 16:57:48 +0000
Subject: ofz#43577 valid reclen must be >= 20
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I454bff4acfcd85701a7f094a8bd76898825e9ce2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128388
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
---
 lotuswordpro/source/filter/lwpdrawobj.cxx | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'lotuswordpro')

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 55d23be1ef7b..0e78359fa0c6 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1362,6 +1362,9 @@ void LwpDrawBitmap::Read()
     m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
     m_pStream->ReadUInt16( m_aBmpRec.nRotation );
 
+    if (m_aObjHeader.nRecLen < 20)
+        throw BadRead();
+
     // 20 == length of draw-specific fields.
     // 14 == length of bmp file header.
     m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
-- 
cgit