filter/source/msfilter/msdffimp.cxx | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
New commits:
commit b3cd47bd562f98ec5fcff1a9d7609353506b5083
Author: Caolán McNamara <caol...@redhat.com>
Date: Thu Jul 16 14:53:37 2015 +0100
Resolves: tdf#92772 missing shape bg color
regression from dcad3ac445980740b6a39761cdd1f1bd0b3e6e34
coverity#1242624 Untrusted loop bound
Change-Id: Idf52c09828c2bab767e9ff0d07b61befd6bfc64b
The original code read 8 bytes on the nElemSizeVert == 8
branch and always 4 otherwise. I assumed that nElemSizeVert had
to be read as 4 on that branch, but apparently not. So if its
not 4, set it to 4 and we get the same behaviour as originally
and continue to ensure we bounds check the loop
Change-Id: Ica8ab7cc3bbebee93216766a2e1279a579494840
diff --git a/filter/source/msfilter/msdffimp.cxx
b/filter/source/msfilter/msdffimp.cxx
index cd7f928..7f57508 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -2153,12 +2153,10 @@ void
DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt
sal_uInt16 nNumElemMemVert = 0;
rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert
).ReadUInt16( nElemSizeVert );
}
- bool bImport = false;
- if (nElemSizeVert == 8 || nElemSizeVert == 4)
- {
- //sanity check that the stream is long enough to fulfill
nNumElem * nElemSize;
- bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert;
- }
+ if (nElemSizeVert != 8)
+ nElemSizeVert = 4;
+ //sanity check that the stream is long enough to fulfill nNumElem
* nElemSize;
+ bool bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert;
if (bImport)
{
aCoordinates.realloc( nNumElemVert );
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
