From 4970009499a5dfb634b25dc144ee35bac0cf9d31 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 27 Aug 2015 20:20:01 +0100
Subject: don't loop on overly-short nEndPos

Change-Id: I60d3388ece28a69c31a85b9e3b495cbe8a03e7dc
(cherry picked from commit 42732d255423700461f4abadfed77d89efa9cdd0)
Reviewed-on: https://gerrit.libreoffice.org/18084
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Michael Meeks <michael.meeks@collabora.com>
---
 vcl/source/filter/wmf/enhwmf.cxx | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'vcl/source')

diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx
index 1b8dc0d45f6f..578fc0afb989 100644
--- a/vcl/source/filter/wmf/enhwmf.cxx
+++ b/vcl/source/filter/wmf/enhwmf.cxx
@@ -617,7 +617,7 @@ void EnhWMFReader::ReadAndDrawPolyPolygon()
 bool EnhWMFReader::ReadEnhWMF()
 {
     sal_uInt32  nStretchBltMode = 0;
-    sal_uInt32  nRecType(0), nRecSize(0), nNextPos(0),
+    sal_uInt32  nNextPos(0),
                 nW(0), nH(0), nColor(0), nIndex(0),
                 nDat32(0), nNom1(0), nDen1(0), nNom2(0), nDen2(0);
     sal_Int32   nX32(0), nY32(0), nx32(0), ny32(0);
@@ -629,7 +629,8 @@ bool EnhWMFReader::ReadEnhWMF()
 
     while( bStatus && nRecordCount-- && pWMF->good())
     {
-        pWMF->ReadUInt32( nRecType ).ReadUInt32( nRecSize );
+        sal_uInt32  nRecType(0), nRecSize(0);
+        pWMF->ReadUInt32(nRecType).ReadUInt32(nRecSize);
 
         if ( !pWMF->good() || ( nRecSize < 8 ) || ( nRecSize & 3 ) )     // Parameters are always divisible by 4
         {
@@ -637,14 +638,22 @@ bool EnhWMFReader::ReadEnhWMF()
             break;
         }
 
-        const sal_uInt32 nMaxPossibleRecSize = nEndPos - pWMF->Tell() + 8;
+        auto nCurPos = pWMF->Tell();
+
+        if (nEndPos < nCurPos - 8)
+        {
+            bStatus = false;
+            break;
+        }
+
+        const sal_uInt32 nMaxPossibleRecSize = nEndPos - (nCurPos - 8);
         if (nRecSize > nMaxPossibleRecSize)
         {
             bStatus = false;
             break;
         }
 
-        nNextPos = pWMF->Tell() + ( nRecSize - 8 );
+        nNextPos = nCurPos + (nRecSize - 8);
 
         if(  !aBmpSaveList.empty()
           && ( nRecType != EMR_STRETCHBLT )
@@ -1407,7 +1416,7 @@ bool EnhWMFReader::ReadEnhWMF()
                 case EMR_EXTTEXTOUTW :
                 {
                     sal_Int32   nLeft, nTop, nRight, nBottom, ptlReferenceX, ptlReferenceY, nGfxMode, nXScale, nYScale;
-                    sal_uInt32  nCurPos, nOffString, nOptions, offDx;
+                    sal_uInt32  nOffString, nOptions, offDx;
                     sal_Int32   nLen;
                     std::vector<long> aDX;
 
-- 
cgit