src/lib/CDRParser.cpp | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
New commits:
commit b6da4cf3b1146170e72c536849d7288376fbd410
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 19:46:50 2015 +0100
coverity#1219668 untrusted loop bound
Change-Id: If827834918cd2bd54ead2947b0e0cc68a8299983
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 4f32b3d..aa0baa8 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2734,7 +2734,7 @@ void
libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
input->seek(12 * static_cast<long>(numSet11s),
librevenge::RVNG_SEEK_CUR);
}
std::map<unsigned, CDRStltRecord> styles;
- for (i=0; i<numRecords; ++i)
+ for (i=0; i<numRecords && getRemainingLength(input) >= 32; ++i)
{
CDR_DEBUG_MSG(("CDRParser::readStlt parsing styles\n"));
unsigned num = readU32(input);
commit d3c79d44d07776eac7c2ae93448806e7533d4029
Author: David Tardon <dtar...@redhat.com>
Date: Fri Dec 25 19:44:59 2015 +0100
coverity#1219668 untrusted loop bound
Change-Id: I75eb0259dfe86998d9447987540cabc53ca79cd1
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 2351925..4f32b3d 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2608,6 +2608,9 @@ void
libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
if (!numRecords)
return;
unsigned numFills = readU32(input);
+ const unsigned fillSize = 3 * 4 + (m_version >= 1300 ? 48 : 0);
+ if (numFills > getRemainingLength(input) / fillSize)
+ numFills = getRemainingLength(input) / fillSize;
CDR_DEBUG_MSG(("CDRParser::readStlt numFills 0x%x\n", numFills));
unsigned i = 0;
std::map<unsigned, unsigned> fillIds;
@@ -2620,6 +2623,8 @@ void
libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
input->seek(48, librevenge::RVNG_SEEK_CUR);
}
unsigned numOutls = readU32(input);
+ if (numOutls > getRemainingLength(input) / 12)
+ numOutls = getRemainingLength(input) / 12;
CDR_DEBUG_MSG(("CDRParser::readStlt numOutls 0x%x\n", numOutls));
std::map<unsigned, unsigned> outlIds;
for (i=0; i<numOutls; ++i)
@@ -2629,6 +2634,9 @@ void
libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
outlIds[outlId] = readU32(input);
}
unsigned numFonts = readU32(input);
+ const unsigned fontsSize = 4 + 2 * 2 + 8 + (m_precision == PRECISION_16BIT
? 2 : 4) + 2 * (m_version < 1000 ? 12 : 20);
+ if (numFonts > getRemainingLength(input) / fontsSize)
+ numFonts = getRemainingLength(input) / fontsSize;
CDR_DEBUG_MSG(("CDRParser::readStlt numFonts 0x%x\n", numFonts));
std::map<unsigned,unsigned short> fontIds, fontEncodings;
std::map<unsigned,double> fontSizes;
@@ -2649,6 +2657,8 @@ void
libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
input->seek(20, librevenge::RVNG_SEEK_CUR);
}
unsigned numAligns = readU32(input);
+ if (numAligns > getRemainingLength(input) / 12)
+ numAligns = getRemainingLength(input) / 12;
std::map<unsigned,unsigned> aligns;
CDR_DEBUG_MSG(("CDRParser::readStlt numAligns 0x%x\n", numAligns));
for (i=0; i<numAligns; ++i)
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
