[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source

Thu, 16 Jul 2015 02:16:31 -0700 

 filter/qa/cppunit/data/met/pass/hang-2.met      |binary
 filter/source/graphicfilter/ios2met/ios2met.cxx |   33 ++++++++++++++++++------
 2 files changed, 26 insertions(+), 7 deletions(-)

New commits:
commit fdc0b506538560e13127a44a7de817412c13035b
Author: Caolán McNamara <caol...@redhat.com>
Date:   Wed Jul 15 12:59:55 2015 +0100

    tools polygons limited to 16bit indexes
    
    Change-Id: Ib0f727a3681492c15b807ca159d8bf7675ee8f29
    (cherry picked from commit 89857aacac98f0f8e5dca4718affec493951f904)
    
    WaE: C2220
    
    Change-Id: Ibf9fa7ffc3beb237a470952c265fb1bce313a08a
    (cherry picked from commit 8547c336b3253d90daae1c79a2b1a57996a39102)
    Reviewed-on: https://gerrit.libreoffice.org/17091
    Tested-by: Jenkins <c...@libreoffice.org>
    Reviewed-by: Michael Meeks <michael.me...@collabora.com>

diff --git a/filter/qa/cppunit/data/met/pass/hang-2.met 
b/filter/qa/cppunit/data/met/pass/hang-2.met
new file mode 100644
index 0000000..84b432e
Binary files /dev/null and b/filter/qa/cppunit/data/met/pass/hang-2.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx 
b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 0553d1f..2ff00f6 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -1173,18 +1173,37 @@ void OS2METReader::ReadPartialArc(bool bGivenPos, 
sal_uInt16 nOrderSize)
 
 void OS2METReader::ReadPolygons()
 {
-    sal_uInt32 i,j,nNumPolys, nNumPoints;
     tools::PolyPolygon aPolyPoly;
     Polygon aPoly;
     Point aPoint;
-    sal_uInt8 nFlags;
 
-    pOS2MET->ReadUChar( nFlags ).ReadUInt32( nNumPolys );
-    for (i=0; i<nNumPolys; i++) {
-        pOS2MET->ReadUInt32( nNumPoints );
-        if (i==0) nNumPoints++;
+    sal_uInt8 nFlags(0);
+    sal_uInt32 nNumPolys(0);
+    pOS2MET->ReadUChar(nFlags).ReadUInt32(nNumPolys);
+
+    if (nNumPolys > SAL_MAX_UINT16)
+    {
+        pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+        ErrorCode=11;
+        return;
+    }
+
+    for (sal_uInt32 i=0; i<nNumPolys; ++i)
+    {
+        sal_uInt32 nNumPoints(0);
+        pOS2MET->ReadUInt32(nNumPoints);
+        sal_uInt32 nLimit = SAL_MAX_UINT16;
+        if (i==0) --nLimit;
+        if (nNumPoints > nLimit)
+        {
+            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+            ErrorCode=11;
+            return;
+        }
+        if (i==0) ++nNumPoints;
         aPoly.SetSize((short)nNumPoints);
-        for (j=0; j<nNumPoints; j++) {
+        for (sal_uInt32 j=0; j<nNumPoints; ++j)
+        {
             if (i==0 && j==0) aPoint=aAttr.aCurPos;
             else aPoint=ReadPoint();
             aPoly.SetPoint(aPoint,(short)j);

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to