filter/CppunitTest_filter_met_test.mk | 43 +++++++++
filter/Module_filter.mk | 1
filter/qa/cppunit/data/met/indeterminate/.gitignore | 1
filter/qa/cppunit/data/met/pass/sample.met |binary
filter/qa/cppunit/filters-met-test.cxx | 71 ++++++++++++++
filter/source/graphicfilter/ios2met/ios2met.cxx | 16 ++-
vcl/source/filter/wmf/winwmf.cxx | 95 +++++++++++++++-----
vcl/source/fontsubset/sft.cxx | 8 +
vcl/unx/generic/dtrans/bmp.cxx | 3
9 files changed, 213 insertions(+), 25 deletions(-)
New commits:
commit 6118c11a0c5122169979547e8c27136cf58a54a7
Author: Caolán McNamara <caol...@redhat.com>
Date: Fri Oct 17 20:35:12 2014 +0100
coverity#1242582 Untrusted loop bound
Change-Id: I72d2c4979b62a025d212ce5ee3b7141c40376fa7
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx
b/filter/source/graphicfilter/ios2met/ios2met.cxx
index a23d0cc..abe2eeb 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -1012,6 +1012,8 @@ void OS2METReader::ReadChrStr(bool bGivenPos, bool bMove,
bool bExtra, sal_uInt1
else
nLen = nOrderLen-4;
}
+ if (nLen > pOS2MET->remainingSize())
+ throw css::uno::Exception("attempt to read past end of input", 0);
boost::scoped_array<char> pChr(new char[nLen+1]);
for (i=0; i<nLen; i++)
pOS2MET->ReadChar( pChr[i] );
@@ -2752,12 +2754,18 @@ GraphicImport( SvStream & rStream, Graphic & rGraphic,
FilterConfigItem* )
GDIMetaFile aMTF;
bool bRet = false;
- aOS2METReader.ReadOS2MET( rStream, aMTF );
+ try
+ {
+ aOS2METReader.ReadOS2MET( rStream, aMTF );
- if ( !rStream.GetError() )
+ if ( !rStream.GetError() )
+ {
+ rGraphic=Graphic( aMTF );
+ bRet = true;
+ }
+ }
+ catch (const css::uno::Exception&)
{
- rGraphic=Graphic( aMTF );
- bRet = true;
}
return bRet;
commit 0445a0ea1b11c78f03272d42e5a8829b1bd107e2
Author: Caolán McNamara <caol...@redhat.com>
Date: Fri Oct 17 16:52:50 2014 +0100
add a regression test for .met files
OS/2 Metafile Format
aka
Presentation Manager Metafile File Format
this format appears to not to have a mime-type
Change-Id: I8b2356fb42272a6e0550abf09f46b051d22b64a5
diff --git a/filter/CppunitTest_filter_met_test.mk
b/filter/CppunitTest_filter_met_test.mk
new file mode 100644
index 0000000..a79528c
--- /dev/null
+++ b/filter/CppunitTest_filter_met_test.mk
@@ -0,0 +1,43 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_CppunitTest_CppunitTest,filter_met_test))
+
+$(eval $(call gb_CppunitTest_use_external,filter_met_test,boost_headers))
+
+$(eval $(call gb_CppunitTest_add_exception_objects,filter_met_test, \
+ filter/qa/cppunit/filters-met-test \
+))
+
+$(eval $(call gb_CppunitTest_use_libraries,filter_met_test, \
+ ime \
+ sal \
+ test \
+ tl \
+ unotest \
+ vcl \
+ $(gb_UWINAPI) \
+))
+
+$(eval $(call gb_CppunitTest_use_api,filter_met_test,\
+ udkapi \
+ offapi \
+))
+
+$(eval $(call gb_CppunitTest_use_ure,filter_met_test))
+$(eval $(call gb_CppunitTest_use_vcl,filter_met_test))
+
+$(eval $(call gb_CppunitTest_use_components,filter_met_test,\
+ configmgr/source/configmgr \
+ i18npool/util/i18npool \
+))
+
+$(eval $(call gb_CppunitTest_use_configuration,filter_met_test))
+
+# vim: set noet sw=4 ts=4:
diff --git a/filter/Module_filter.mk b/filter/Module_filter.mk
index 25698b9..a3bddf4 100644
--- a/filter/Module_filter.mk
+++ b/filter/Module_filter.mk
@@ -86,6 +86,7 @@ $(eval $(call gb_Module_add_check_targets,filter,\
ifneq ($(DISABLE_CVE_TESTS),TRUE)
$(eval $(call gb_Module_add_check_targets,filter,\
CppunitTest_filter_dxf_test \
+ CppunitTest_filter_met_test \
CppunitTest_filter_pcx_test \
CppunitTest_filter_pict_test \
CppunitTest_filter_ppm_test \
diff --git a/filter/qa/cppunit/data/met/fail/.gitignore
b/filter/qa/cppunit/data/met/fail/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/filter/qa/cppunit/data/met/indeterminate/.gitignore
b/filter/qa/cppunit/data/met/indeterminate/.gitignore
new file mode 100644
index 0000000..583b009c
--- /dev/null
+++ b/filter/qa/cppunit/data/met/indeterminate/.gitignore
@@ -0,0 +1 @@
+*.wmf-*
diff --git a/filter/qa/cppunit/data/met/pass/.gitignore
b/filter/qa/cppunit/data/met/pass/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/filter/qa/cppunit/data/met/pass/sample.met
b/filter/qa/cppunit/data/met/pass/sample.met
new file mode 100644
index 0000000..7635e84
Binary files /dev/null and b/filter/qa/cppunit/data/met/pass/sample.met differ
diff --git a/filter/qa/cppunit/filters-met-test.cxx
b/filter/qa/cppunit/filters-met-test.cxx
new file mode 100644
index 0000000..b8fc340
--- /dev/null
+++ b/filter/qa/cppunit/filters-met-test.cxx
@@ -0,0 +1,71 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#include <unotest/filters-test.hxx>
+#include <test/bootstrapfixture.hxx>
+#include <vcl/FilterConfigItem.hxx>
+#include <tools/stream.hxx>
+#include <vcl/graph.hxx>
+
+#include <osl/file.hxx>
+#include <osl/process.h>
+
+extern "C"
+{
+ SAL_DLLPUBLIC_EXPORT bool SAL_CALL
+ GraphicImport(SvStream & rStream, Graphic & rGraphic,
+ FilterConfigItem*);
+}
+
+using namespace ::com::sun::star;
+
+/* Implementation of Filters test */
+
+class MetFilterTest
+ : public test::FiltersTest
+ , public test::BootstrapFixture
+{
+public:
+ MetFilterTest() : BootstrapFixture(true, false) {}
+
+ virtual bool load(const OUString &,
+ const OUString &rURL, const OUString &,
+ unsigned int, unsigned int, unsigned int) SAL_OVERRIDE;
+
+ /**
+ * Ensure CVEs remain unbroken
+ */
+ void testCVEs();
+
+ CPPUNIT_TEST_SUITE(MetFilterTest);
+ CPPUNIT_TEST(testCVEs);
+ CPPUNIT_TEST_SUITE_END();
+};
+
+bool MetFilterTest::load(const OUString &,
+ const OUString &rURL, const OUString &,
+ unsigned int, unsigned int, unsigned int)
+{
+ SvFileStream aFileStream(rURL, STREAM_READ);
+ Graphic aGraphic;
+ return GraphicImport(aFileStream, aGraphic, NULL);
+}
+
+void MetFilterTest::testCVEs()
+{
+ testDir(OUString(),
+ getURLFromSrc("/filter/qa/cppunit/data/met/"),
+ OUString());
+}
+
+CPPUNIT_TEST_SUITE_REGISTRATION(MetFilterTest);
+
+CPPUNIT_PLUGIN_IMPLEMENT();
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
commit 11a514e06bf38c70f2364c8535782aa3f33d6206
Author: Caolán McNamara <caol...@redhat.com>
Date: Fri Oct 17 16:13:32 2014 +0100
coverity#1242573 Untrusted loop bound
Change-Id: Ic84e57fbfa2b532409865c4364b91be594d252cf
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index 96d69cf..1b95dd4 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -1462,12 +1462,31 @@ bool WMFReader::GetPlaceableBound( Rectangle&
rPlaceableBound, SvStream* pStm )
case W_META_POLYGON:
{
- sal_uInt16 nPoints;
+ bool bRecordOk = true;
+
+ sal_uInt16 nPoints(0);
pStm->ReadUInt16( nPoints );
- for(sal_uInt16 i = 0; i < nPoints; i++ )
+
+ if (nPoints > pStm->remainingSize() / (2 *
sizeof(sal_uInt16)))
{
- GetWinExtMax( ReadPoint(), aBound, nMapMode );
- bBoundsDetermined = true;
+ bRecordOk = false;
+ }
+ else
+ {
+ for(sal_uInt16 i = 0; i < nPoints; i++ )
+ {
+ GetWinExtMax( ReadPoint(), aBound, nMapMode );
+ bBoundsDetermined = true;
+ }
+ }
+
+ SAL_WARN_IF(!bRecordOk, "vcl.wmf", "polyline record
claimed more points than the stream can provide");
+
+ if (!bRecordOk)
+ {
+ pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
+ bRet = false;
+ break;
}
}
break;
@@ -1507,12 +1526,21 @@ bool WMFReader::GetPlaceableBound( Rectangle&
rPlaceableBound, SvStream* pStm )
break;
}
- for (sal_uInt16 i = 0; i < nPoints; i++ )
+ if (nPoints > pStm->remainingSize() / (2 *
sizeof(sal_uInt16)))
{
- GetWinExtMax( ReadPoint(), aBound, nMapMode );
- bBoundsDetermined = true;
+ bRecordOk = false;
+ }
+ else
+ {
+ for (sal_uInt16 i = 0; i < nPoints; i++ )
+ {
+ GetWinExtMax( ReadPoint(), aBound, nMapMode );
+ bBoundsDetermined = true;
+ }
}
+ SAL_WARN_IF(!bRecordOk, "vcl.wmf", "polypolygon record
claimed more points than the stream can provide");
+
bRecordOk &= pStm->good();
if (!bRecordOk)
@@ -1526,12 +1554,30 @@ bool WMFReader::GetPlaceableBound( Rectangle&
rPlaceableBound, SvStream* pStm )
case W_META_POLYLINE:
{
- sal_uInt16 nPoints;
- pStm->ReadUInt16( nPoints );
- for(sal_uInt16 i = 0; i < nPoints; i++ )
+ bool bRecordOk = true;
+
+ sal_uInt16 nPoints(0);
+ pStm->ReadUInt16(nPoints);
+ if (nPoints > pStm->remainingSize() / (2 *
sizeof(sal_uInt16)))
{
- GetWinExtMax( ReadPoint(), aBound, nMapMode );
- bBoundsDetermined = true;
+ bRecordOk = false;
+ }
+ else
+ {
+ for (sal_uInt16 i = 0; i < nPoints; ++i)
+ {
+ GetWinExtMax( ReadPoint(), aBound, nMapMode );
+ bBoundsDetermined = true;
+ }
+ }
+
+ SAL_WARN_IF(!bRecordOk, "vcl.wmf", "polyline record
claimed more points than the stream can provide");
+
+ if (!bRecordOk)
+ {
+ pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
+ bRet = false;
+ break;
}
}
break;
commit 5e2d089f763963e6ce7d3d183bd1bf7932aeaaaf
Author: Caolán McNamara <caol...@redhat.com>
Date: Fri Oct 17 16:04:33 2014 +0100
coverity#1242573 Untrusted loop bound
Change-Id: Id2847c55ccab7272919e76542bc0e0570bc9af12
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index edd5c6f..96d69cf 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -1475,18 +1475,25 @@ bool WMFReader::GetPlaceableBound( Rectangle&
rPlaceableBound, SvStream* pStm )
case W_META_POLYPOLYGON:
{
bool bRecordOk = true;
- sal_uInt16 nPoly, nPoints = 0;
- pStm->ReadUInt16( nPoly );
- for(sal_uInt16 i = 0; i < nPoly; i++ )
+ sal_uInt16 nPoly(0), nPoints(0);
+ pStm->ReadUInt16(nPoly);
+ if (nPoly > pStm->remainingSize() / sizeof(sal_uInt16))
{
- sal_uInt16 nP = 0;
- pStm->ReadUInt16( nP );
- if (nP > SAL_MAX_UINT16 - nPoints)
+ bRecordOk = false;
+ }
+ else
+ {
+ for(sal_uInt16 i = 0; i < nPoly; i++ )
{
- bRecordOk = false;
- break;
+ sal_uInt16 nP = 0;
+ pStm->ReadUInt16( nP );
+ if (nP > SAL_MAX_UINT16 - nPoints)
+ {
+ bRecordOk = false;
+ break;
+ }
+ nPoints += nP;
}
- nPoints += nP;
}
SAL_WARN_IF(!bRecordOk, "vcl.wmf", "polypolygon record has
more polygons than we can handle");
commit 5a89092d5fe43638832ea8f86df34f81869337d9
Author: Caolán McNamara <caol...@redhat.com>
Date: Fri Oct 17 15:59:56 2014 +0100
coverity#1222238 Untrusted loop bound
Change-Id: I1a4dec8727d0a27f7fd0396fd22d955f61daaee4
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index f0d1007..cc13d17 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -2045,6 +2045,14 @@ static GlyphOffsets *GlyphOffsetsNew(sal_uInt8 *sfntP,
sal_uInt32 sfntLen)
sal_uInt32 locaLen = 0;
sal_Int16 indexToLocFormat = 0;
+ sal_uInt32 nMaxPossibleTables = sfntLen / (3*sizeof(sal_uInt32)); /*the
three GetUInt32 calls*/
+ if (numTables > nMaxPossibleTables)
+ {
+ SAL_WARN( "vcl.fonts", "GlyphOffsetsNew claimed to have "
+ << numTables << " tables, but that's impossibly large");
+ numTables = nMaxPossibleTables;
+ }
+
for (i = 0; i < numTables; i++) {
sal_uInt32 nLargestFixedOffsetPos = 12 + 16 * i + 12;
sal_uInt32 nMinSize = nLargestFixedOffsetPos + sizeof(sal_uInt32);
commit 38a1f24c4c2cb0863ba170d12048e68e56197b38
Author: Caolán McNamara <caol...@redhat.com>
Date: Fri Oct 17 15:51:40 2014 +0100
coverity#1209860 try and silence Untrusted loop bound warning
we kind of have to trust this data
Change-Id: I1b74f8ad95008f5e759fd2267c879091edc5d58e
diff --git a/vcl/unx/generic/dtrans/bmp.cxx b/vcl/unx/generic/dtrans/bmp.cxx
index 3f47e88..7420b7f 100644
--- a/vcl/unx/generic/dtrans/bmp.cxx
+++ b/vcl/unx/generic/dtrans/bmp.cxx
@@ -570,6 +570,9 @@ void PixmapHolder::setBitmapDataTC( const sal_uInt8* pData,
XImage* pImage )
sal_uInt32 nWidth = readLE32( pData+4 );
sal_uInt32 nHeight = readLE32( pData+8 );
+ if (!nWidth || !nHeight)
+ return;
+
const sal_uInt8* pBMData = pData + readLE32( pData );
sal_uInt32 nScanlineSize = nWidth*3;
// adjust scan lines to begin on %4 boundaries
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
