From 8165325a4365801c7a0db9f146c14defd202eae9 Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Sun, 9 Jan 2022 16:07:32 +0000 Subject: ofz#43446 Undefined-shift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: Ibe3485983ecf764ca8b8e667b470c6b210b6d2d4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128192 Tested-by: Jenkins Reviewed-by: Caolán McNamara (cherry picked from commit 27e9de358b4afc6a89b09c173316cee0abfb471d) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128233 Reviewed-by: Michael Stahl --- lotuswordpro/source/filter/lwpdrawobj.cxx | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'lotuswordpro') diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 9789d97a9c57..ac0c9879e18b 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -1337,6 +1337,22 @@ LwpDrawBitmap::~LwpDrawBitmap() { } +static bool IsValid(const BmpInfoHeader2& rHeader) +{ + if (rHeader.nPlanes != 1) + return false; + + if (rHeader.nBitCount != 0 && rHeader.nBitCount != 1 && + rHeader.nBitCount != 4 && rHeader.nBitCount != 8 && + rHeader.nBitCount != 16 && rHeader.nBitCount != 24 && + rHeader.nBitCount != 32) + { + return false; + } + + return true; +} + /** * @descr reading function of class LwpDrawBitmap */ @@ -1363,6 +1379,9 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); + if (!IsValid(aInfoHeader2)) + throw BadRead(); + N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; if (N == 24) { @@ -1379,6 +1398,10 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt32( aInfoHeader2.nHeight ); m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); + + if (!IsValid(aInfoHeader2)) + throw BadRead(); + N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; if (N == 24) { -- cgit