src/lib/CDRParser.cpp | 54 ++++++++++++++++++++++++++++++++++++++++++++++++--
src/lib/CMXParser.cpp | 6 +++++
2 files changed, 58 insertions(+), 2 deletions(-)
New commits:
commit 16bad14a0bdd8a7370ff73e8d191fa7ac53b5430
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:24:49 2015 +0100
coverity#1219668 untrusted loop bound
Change-Id: I820f0795bdf185aafcefdad9c4dbd7e5087fb249
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 8186e59..7f600f6 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2691,6 +2691,9 @@ void
libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
}
}
unsigned numIndents = readU32(input);
+ const unsigned indentSize = 4 + 3 * (m_precision == PRECISION_16BIT ? 2 :
4);
+ if (numIndents > getRemainingLength(input) / indentSize)
+ numIndents = getRemainingLength(input) / indentSize;
std::map<unsigned, double> rightIndents, firstIndents, leftIndents;
CDR_DEBUG_MSG(("CDRParser::readStlt numIndents 0x%x\n", numIndents));
for (i=0; i<numIndents; ++i)
commit 8d465b41201c97df55916f577e34b3f51e48eae0
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:21:56 2015 +0100
avoid reallocations
Change-Id: I5f5c5c5f07cee25e7ae4217e69d91e21345c80d3
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 11fd527..8186e59 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1516,6 +1516,8 @@ void
libcdr::CDRParser::readBitmap(librevenge::RVNGInputStream *input)
pointNum = getRemainingLength(input) / pointSize;
std::vector<std::pair<double, double> > points;
std::vector<unsigned char> pointTypes;
+ points.reserve(pointNum);
+ pointTypes.reserve(pointNum);
for (unsigned j=0; j<pointNum; j++)
{
std::pair<double, double> point;
commit ba194ca9b857e2b126bb9d4779dfeb634ff49c63
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:21:42 2015 +0100
coverity#1219667 untrusted loop bound
Change-Id: I869570d2591801e244a16cda41583c0b11f4f1ec
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index dd66cb2..11fd527 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1511,6 +1511,9 @@ void
libcdr::CDRParser::readBitmap(librevenge::RVNGInputStream *input)
unsigned short pointNum = readU16(input);
input->seek(2, librevenge::RVNG_SEEK_CUR);
+ const unsigned short pointSize = 2 * (m_precision == PRECISION_16BIT ? 2 :
4) + 1;
+ if (pointNum > getRemainingLength(input) / pointSize)
+ pointNum = getRemainingLength(input) / pointSize;
std::vector<std::pair<double, double> > points;
std::vector<unsigned char> pointTypes;
for (unsigned j=0; j<pointNum; j++)
commit 506d632fc882b0df456099bf7bf5f9c3df7cd5fb
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:20:08 2015 +0100
avoid reallocations
Change-Id: Icd13d0b6d80e93627fc11a6f500a7282961d9aa1
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index a55d662..dd66cb2 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1385,6 +1385,8 @@ void
libcdr::CDRParser::readLineAndCurve(librevenge::RVNGInputStream *input)
pointNum = getRemainingLength(input) / pointSize;
std::vector<std::pair<double, double> > points;
std::vector<unsigned char> pointTypes;
+ points.reserve(pointNum);
+ pointTypes.reserve(pointNum);
for (unsigned j=0; j<pointNum; j++)
{
std::pair<double, double> point;
commit a68dd3b0ded47e84d1d1b5bda45b3a76d565bc62
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:19:55 2015 +0100
coverity#1219666 untrusted loop bound
Change-Id: Ic059fe02f4ca3443317e9aa445071bbaf5c6065c
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index e1d98d1..a55d662 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1379,7 +1379,10 @@ void
libcdr::CDRParser::readLineAndCurve(librevenge::RVNGInputStream *input)
CDR_DEBUG_MSG(("CDRParser::readLineAndCurve\n"));
unsigned short pointNum = readU16(input);
+ const unsigned short pointSize = 2 * (m_precision == PRECISION_16BIT ? 2 :
4) + 1;
input->seek(2, librevenge::RVNG_SEEK_CUR);
+ if (pointNum > getRemainingLength(input) / pointSize)
+ pointNum = getRemainingLength(input) / pointSize;
std::vector<std::pair<double, double> > points;
std::vector<unsigned char> pointTypes;
for (unsigned j=0; j<pointNum; j++)
commit a6db148517331a0a0792b57dfcb2f2722b303423
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:16:38 2015 +0100
avoid reallocations
Change-Id: I4becdb665e7cad78e08f51ad1cd8fd332ab46032
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 6bdd0cb..e1d98d1 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2316,6 +2316,7 @@ void
libcdr::CDRParser::readBmp(librevenge::RVNGInputStream *input, unsigned len
unsigned short palettesize = readU16(input);
if (palettesize > getRemainingLength(input) / 3)
palettesize = getRemainingLength(input) / 3;
+ palette.reserve(palettesize);
for (unsigned short i = 0; i <palettesize; ++i)
{
unsigned b = readU8(input);
commit 5609b383d5555dcff937d96817cd2de5307f54aa
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:16:03 2015 +0100
coverity#1219665 untrusted loop bound
Change-Id: I3ec8ed97fc2178eaae72b00758a8b08f8703fcb8
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 083b42f..6bdd0cb 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2314,6 +2314,8 @@ void
libcdr::CDRParser::readBmp(librevenge::RVNGInputStream *input, unsigned len
{
input->seek(2, librevenge::RVNG_SEEK_CUR);
unsigned short palettesize = readU16(input);
+ if (palettesize > getRemainingLength(input) / 3)
+ palettesize = getRemainingLength(input) / 3;
for (unsigned short i = 0; i <palettesize; ++i)
{
unsigned b = readU8(input);
commit c3a503fc3b5495cd1886e153cccefd3be54dc5df
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:13:42 2015 +0100
avoid reallocations
Change-Id: Iab341d0c495a3def2b4a3800315675c4dc822d17
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index c4ab30a..083b42f 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1441,10 +1441,12 @@ void
libcdr::CDRParser::readArrw(librevenge::RVNGInputStream *input, unsigned le
pointNum = (maxLength - 5) / pointSize;
input->seek(4, librevenge::RVNG_SEEK_CUR);
std::vector<unsigned char> pointTypes;
+ pointTypes.reserve(pointSize);
for (unsigned k=0; k<pointNum; k++)
pointTypes.push_back(readU8(input));
input->seek(1, librevenge::RVNG_SEEK_CUR);
std::vector<std::pair<double, double> > points;
+ points.reserve(pointSize);
for (unsigned j=0; j<pointNum; j++)
{
std::pair<double, double> point;
commit cf936b4e64c031ce28fb5916b836f06ce98bfa9e
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:12:51 2015 +0100
coverity#1219664 untrusted loop bound
Change-Id: Icfa2357a80b2cd5e813c8192741e3b01dd70c313
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index e35d122..c4ab30a 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1433,6 +1433,12 @@ void
libcdr::CDRParser::readArrw(librevenge::RVNGInputStream *input, unsigned le
unsigned arrowId = readU32(input);
input->seek(4, librevenge::RVNG_SEEK_CUR);
unsigned short pointNum = readU16(input);
+ const unsigned short pointSize = 2 * (m_precision == PRECISION_16BIT ? 2 :
4) + 1;
+ const unsigned long maxLength = getRemainingLength(input);
+ if (maxLength < 5)
+ pointNum = 0;
+ else if (pointNum > (maxLength - 5) / pointSize)
+ pointNum = (maxLength - 5) / pointSize;
input->seek(4, librevenge::RVNG_SEEK_CUR);
std::vector<unsigned char> pointTypes;
for (unsigned k=0; k<pointNum; k++)
commit edd055130ffeba0be89ac7a091c5b424b94423e8
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:07:50 2015 +0100
avoid reallocations
Change-Id: I130648296cafee9f8329dd15159978fe1dc5a352
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 47531ea..e35d122 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2204,6 +2204,8 @@ void
libcdr::CDRParser::readPolygonCoords(librevenge::RVNGInputStream *input)
input->seek(2, librevenge::RVNG_SEEK_CUR);
std::vector<std::pair<double, double> > points;
std::vector<unsigned char> pointTypes;
+ points.reserve(pointNum);
+ pointTypes.reserve(pointNum);
for (unsigned j=0; j<pointNum; j++)
{
std::pair<double, double> point;
commit d392829184cc722d96fada1ef13917d80d4eb4d6
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:06:31 2015 +0100
avoid reallocations
Change-Id: I910463483ff22b4e0b09f6a6489da4883f30f4fb
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 5269b58..47531ea 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2395,6 +2395,8 @@ void
libcdr::CDRParser::readPpdt(librevenge::RVNGInputStream *input, unsigned le
input->seek(4, librevenge::RVNG_SEEK_CUR);
std::vector<std::pair<double, double> > points;
std::vector<unsigned> knotVector;
+ points.reserve(pointNum);
+ knotVector.reserve(pointNum);
for (unsigned j=0; j<pointNum; j++)
{
std::pair<double, double> point;
commit 7647a34501633a9b45ab6c05ba9976d5cea49982
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:05:24 2015 +0100
coverity#1219661 untrusted loop bound
Change-Id: Id67d1781602534450b2688cce78c49e5b2d05958
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index d49ea7f..5269b58 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2389,6 +2389,9 @@ void
libcdr::CDRParser::readPpdt(librevenge::RVNGInputStream *input, unsigned le
if (!_redirectX6Chunk(&input, length))
throw GenericException();
unsigned short pointNum = readU16(input);
+ const unsigned short pointSize = 2 * (m_precision == PRECISION_16BIT ? 2 :
4) + 4;
+ if (pointNum > getRemainingLength(input) / pointSize)
+ pointNum = getRemainingLength(input) / pointSize;
input->seek(4, librevenge::RVNG_SEEK_CUR);
std::vector<std::pair<double, double> > points;
std::vector<unsigned> knotVector;
commit 108fa56a9c270319e51654a35e66ce6127be99e7
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:02:26 2015 +0100
avoid reallocations
Change-Id: If01040b0aedd5ec7af4fb9c1de2b8f0417011dfd
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index e057148..d49ea7f 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2038,6 +2038,7 @@ void
libcdr::CDRParser::readOutl(librevenge::RVNGInputStream *input, unsigned le
numDash = getRemainingLength(input) / 2;
int fixPosition = input->tell();
std::vector<unsigned> dashArray;
+ dashArray.reserve(numDash);
for (unsigned short i = 0; i < numDash; ++i)
dashArray.push_back(readU16(input));
if (m_version < 600)
commit e73a6e2045e5aa2e900eefadb3632e8011c948e9
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:01:56 2015 +0100
coverity#1219660 untrusted loop bound
Change-Id: Icdaf38a7880be84943eb6190cf05ec460e787dd6
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 01d946f..e057148 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2034,6 +2034,8 @@ void
libcdr::CDRParser::readOutl(librevenge::RVNGInputStream *input, unsigned le
else
input->seek(16, librevenge::RVNG_SEEK_CUR);
unsigned short numDash = readU16(input);
+ if (numDash > getRemainingLength(input) / 2)
+ numDash = getRemainingLength(input) / 2;
int fixPosition = input->tell();
std::vector<unsigned> dashArray;
for (unsigned short i = 0; i < numDash; ++i)
commit 9e9f038acfc13c0a636cdf1083255b9f78e2f7ae
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 09:00:28 2015 +0100
avoid reallocations
Change-Id: I7d944c7378a826a9ae237ff63a54c5f1c16b9c97
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 78e2f89..01d946f 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1409,6 +1409,8 @@ void
libcdr::CDRParser::readPath(librevenge::RVNGInputStream *input)
input->seek(16, librevenge::RVNG_SEEK_CUR);
std::vector<std::pair<double, double> > points;
std::vector<unsigned char> pointTypes;
+ points.reserve(pointNum);
+ pointTypes.reserve(pointNum);
for (unsigned j=0; j<pointNum; j++)
{
std::pair<double, double> point;
commit 04282ed1fca09b7530158fc7c319d6f1a9421a15
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 08:58:24 2015 +0100
coverity#1219659 untrusted loop bound
Change-Id: I560231a5ab6b39c2a0e3cddf1f1eec9cce60207d
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index c357f79..78e2f89 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1400,6 +1400,12 @@ void
libcdr::CDRParser::readPath(librevenge::RVNGInputStream *input)
input->seek(4, librevenge::RVNG_SEEK_CUR);
unsigned short pointNum = readU16(input)+readU16(input);
+ const unsigned short pointSize = 2 * (m_precision == PRECISION_16BIT ? 2 :
4) + 1;
+ const unsigned long maxLength = getRemainingLength(input);
+ if (maxLength < 16)
+ pointNum = 0;
+ else if (pointNum > (maxLength - 16) / pointSize)
+ pointNum = (maxLength - 16) / pointSize;
input->seek(16, librevenge::RVNG_SEEK_CUR);
std::vector<std::pair<double, double> > points;
std::vector<unsigned char> pointTypes;
commit d0ddef4c3a109f5dec9bf8cb6518ec423a4e393b
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 08:53:07 2015 +0100
coverity#1219658 untrusted loop bound
Change-Id: I9f1513dfd19ffe20eb1755d0b33831448654f080
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 302ceb5..c357f79 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2881,7 +2881,7 @@ void
libcdr::CDRParser::readTxsm(librevenge::RVNGInputStream *input, unsigned le
unsigned numRecords = readU32(input);
std::map<unsigned, CDRCharacterStyle> charStyles;
unsigned i = 0;
- for (i=0; i<numRecords; ++i)
+ for (i=0; i<numRecords && getRemainingLength(input) >= 3; ++i)
{
unsigned char fl0 = readU8(input);
readU8(input);
commit 8df03619d14f702299e05a34a8fd580e34e3481f
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 08:49:38 2015 +0100
avoid reallocations
Change-Id: Ibf3a9908df5acd1afe0ebc1d9491d59e6dd40e43
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 7c01704..302ceb5 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -3155,6 +3155,8 @@ void
libcdr::CDRParser::readTxsm6(librevenge::RVNGInputStream *input)
numChars = getRemainingLength(input) / 12;
std::vector<unsigned char> textData;
std::vector<unsigned char> charDescriptions;
+ textData.reserve(numChars);
+ charDescriptions.reserve(numChars);
for (i=0; i<numChars; ++i)
{
input->seek(4, librevenge::RVNG_SEEK_CUR);
commit 46b4248bbd9b73404d1df6ccda9e730cccc7bab8
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 08:49:19 2015 +0100
coverity#1219657 untrusted loop bound
Change-Id: Ie645106ddd3da591942de6bbebc6062618107df5
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 298b411..7c01704 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -3151,6 +3151,8 @@ void
libcdr::CDRParser::readTxsm6(librevenge::RVNGInputStream *input)
charStyles[2*i] = charStyle;
}
unsigned numChars = readU32(input);
+ if (numChars > getRemainingLength(input) / 12)
+ numChars = getRemainingLength(input) / 12;
std::vector<unsigned char> textData;
std::vector<unsigned char> charDescriptions;
for (i=0; i<numChars; ++i)
commit 6f6922a41a36afe14b1328262cad61e8bb6b4ceb
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 08:47:14 2015 +0100
avoid reallocations
Change-Id: I6162bb9a82840e50875b374abbc9a8be47241974
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index e9d42b8..298b411 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -3226,6 +3226,8 @@ void
libcdr::CDRParser::readTxsm5(librevenge::RVNGInputStream *input)
numChars = getRemainingLength(input) / 8;
std::vector<unsigned char> textData;
std::vector<unsigned char> charDescriptions;
+ textData.reserve(numChars);
+ charDescriptions.reserve(numChars);
for (i=0; i<numChars; ++i)
{
input->seek(4, librevenge::RVNG_SEEK_CUR);
commit fb92384a2378c8296950347a9e4d471524dc0bd7
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 08:46:51 2015 +0100
coverity#1219656 untrusted loop bound
Change-Id: I951f4f238ad8c6c725616f31a6fc07a86e712584
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index e835fbf..e9d42b8 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -3222,6 +3222,8 @@ void
libcdr::CDRParser::readTxsm5(librevenge::RVNGInputStream *input)
charStyles[2*i] = charStyle;
}
unsigned numChars = readU16(input);
+ if (numChars > getRemainingLength(input) / 8)
+ numChars = getRemainingLength(input) / 8;
std::vector<unsigned char> textData;
std::vector<unsigned char> charDescriptions;
for (i=0; i<numChars; ++i)
commit c5103abeccf54dd5d6359650344fca312c95ebca
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 08:43:44 2015 +0100
coverity#1219655 untrusted loop bound
Change-Id: I67b1596a2fada66cee39fc042e44feea81b7e5c7
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index d90a7c5..e835fbf 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -3049,7 +3049,7 @@ void
libcdr::CDRParser::readTxsm16(librevenge::RVNGInputStream *input)
unsigned i = 0;
std::map<unsigned, CDRCharacterStyle> charStyles;
- for (i=0; i<numRecords; ++i)
+ for (i=0; i<numRecords && getRemainingLength(input) >= 17; ++i)
{
charStyles[i*2] = defaultStyle;
input->seek(4, librevenge::RVNG_SEEK_CUR);
commit f2580487380dd73a90f8d0f95a810e0f8d6ea0ad
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 08:36:07 2015 +0100
coverity#1219653 untrusted value as arg
Change-Id: Ifd2ae6290a719a0d3577d0b6ef2014a781a957fb
diff --git a/src/lib/CMXParser.cpp b/src/lib/CMXParser.cpp
index 1a747df..8c6eb6c 100644
--- a/src/lib/CMXParser.cpp
+++ b/src/lib/CMXParser.cpp
@@ -75,6 +75,9 @@ bool
libcdr::CMXParser::parseRecord(librevenge::RVNGInputStream *input, unsigned
return true;
unsigned fourCC = readU32(input);
unsigned length = readU32(input);
+ const unsigned long maxLength = getRemainingLength(input);
+ if (length > maxLength)
+ length = maxLength;
long endPosition = input->tell() + length;
CDR_DEBUG_MSG(("Record: level %u %s, length: 0x%.8x (%u)\n", level,
toFourCC(fourCC), length, length));
commit 1412a339e0d77bc13eb09ee5b92fefd34f5ba944
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 07:50:31 2015 +0100
coverity#1219652 untrusted loop bound
Change-Id: Ic76fe5b502c9c2ca12e2d0905c3d680a591c2052
diff --git a/src/lib/CMXParser.cpp b/src/lib/CMXParser.cpp
index 2165670..1a747df 100644
--- a/src/lib/CMXParser.cpp
+++ b/src/lib/CMXParser.cpp
@@ -378,6 +378,9 @@ void
libcdr::CMXParser::readPolyCurve(librevenge::RVNGInputStream *input)
{
readRenderingAttributes(input);
pointNum = readU16(input);
+ const unsigned long maxPoints = getRemainingLength(input) / (2 * 2 + 1);
+ if (pointNum > maxPoints)
+ pointNum = maxPoints;
for (unsigned i = 0; i < pointNum; ++i)
{
std::pair<double, double> point;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
