From 173fd90387e8bb7f33c2608628f12c7f772f0277 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Mon, 13 Jul 2015 20:44:16 +0100
Subject: fix a third emf crash

Change-Id: I3b5d0daf05e3272d2afa0da84ff0b1f8d5c965a4
---
 vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf | Bin 0 -> 456 bytes
 vcl/source/filter/wmf/enhwmf.cxx                       |   4 +++-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf

(limited to 'vcl')

diff --git a/vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf b/vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf
new file mode 100644
index 000000000000..92da5f05ac7b
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf differ
diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx
index d8292ac15b30..81b8b7b6c7b2 100644
--- a/vcl/source/filter/wmf/enhwmf.cxx
+++ b/vcl/source/filter/wmf/enhwmf.cxx
@@ -1441,7 +1441,9 @@ bool EnhWMFReader::ReadEnhWMF()
                     DBG_ASSERT( ( nOptions & ( ETO_PDY | ETO_GLYPH_INDEX ) ) == 0, "SJ: ETO_PDY || ETO_GLYPH_INDEX in EMF" );
 
                     Point aPos( ptlReferenceX, ptlReferenceY );
-                    if ( nLen > 0 && nLen < static_cast<sal_Int32>( SAL_MAX_UINT32 / sizeof(sal_Int32) ) )
+                    bool bLenSane = nLen > 0 && nLen < static_cast<sal_Int32>( SAL_MAX_UINT32 / sizeof(sal_Int32) );
+                    bool bOffStringSane = nOffString <= nEndPos - nCurPos;
+                    if (bLenSane && bOffStringSane)
                     {
                         if ( offDx && (( nCurPos + offDx + nLen * 4 ) <= nNextPos ) )
                         {
-- 
cgit