filter/qa/cppunit/data/met/fail/hang-2.met |binary
filter/source/graphicfilter/ios2met/ios2met.cxx | 25 ++++++++++++++++++------
2 files changed, 19 insertions(+), 6 deletions(-)
New commits:
commit ad6d83defb33c414885ce6d4bfa85571d463f3c3
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Aug 31 11:11:27 2015 +0100
check for legal field sizes before reading
Change-Id: I3cdb647e1a057be5bb4b32d119ee5bcbbedf7473
diff --git a/filter/qa/cppunit/data/met/fail/hang-2.met
b/filter/qa/cppunit/data/met/fail/hang-2.met
new file mode 100644
index 0000000..e807d58
Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/hang-2.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx
b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 5ab71b9..bbf2728 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -2660,21 +2660,34 @@ void OS2METReader::ReadOS2MET( SvStream &
rStreamOS2MET, GDIMetaFile & rGDIMetaF
pOS2MET->ReadUInt16(nFieldType);
pOS2MET->SeekRel(3);
- nPos+=8; nFieldSize-=8;
- if (pOS2MET->GetError()) break;
- if (pOS2MET->IsEof()) {
+ if (pOS2MET->GetError())
+ break;
+
+ if (nFieldType==EndDocumnMagic)
+ break;
+
+ if (pOS2MET->IsEof() || nFieldSize < 8)
+ {
pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
ErrorCode=8;
break;
}
- if (nFieldType==EndDocumnMagic) break;
+ nPos+=8; nFieldSize-=8;
+
+ if (nFieldSize > pOS2MET->remainingSize())
+ {
+ pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+ ErrorCode=8;
+ break;
+ }
ReadField(nFieldType, nFieldSize);
+ nPos += nFieldSize;
- nPos+=(sal_uLong)nFieldSize;
- if (pOS2MET->Tell()>nPos) {
+ if (pOS2MET->Tell() > nPos)
+ {
pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
ErrorCode=9;
break;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
