[Libreoffice-commits] core.git: filter/source

Tue, 17 Jan 2017 13:21:29 -0800 

 filter/source/graphicfilter/idxf/dxfentrd.cxx |    5 ++++-
 filter/source/graphicfilter/idxf/dxfgrprd.cxx |    4 ++++
 filter/source/graphicfilter/idxf/dxfgrprd.hxx |    1 +
 3 files changed, 9 insertions(+), 1 deletion(-)

New commits:
commit 5434d51d12611eb2726ce1394eb01921d008fa89
Author: Caolán McNamara <caol...@redhat.com>
Date:   Tue Jan 17 21:19:13 2017 +0000

    ofz#414 crash in DXFHatchEntity::EvaluateGroup
    
    Change-Id: I15c8cb7aeb8c45f32357afd0ea2f550ffe11dbf7

diff --git a/filter/source/graphicfilter/idxf/dxfentrd.cxx 
b/filter/source/graphicfilter/idxf/dxfentrd.cxx
index 2c03206..f9a5d97 100644
--- a/filter/source/graphicfilter/idxf/dxfentrd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfentrd.cxx
@@ -659,8 +659,11 @@ void DXFHatchEntity::EvaluateGroup( DXFGroupReader & rDGR )
         {
             bIsInBoundaryPathContext = true;
             nBoundaryPathCount = rDGR.GetI();
-            if ( nBoundaryPathCount )
+            // limit alloc to max reasonable size based on remaining data in 
stream
+            if (nBoundaryPathCount > 0 && 
static_cast<sal_uInt32>(nBoundaryPathCount) <= rDGR.remainingSize())
                 pBoundaryPathData.reset( new DXFBoundaryPathData[ 
nBoundaryPathCount ] );
+            else
+                nBoundaryPathCount = 0;
         }
         break;
         case 75 :
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.cxx 
b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
index caa2c42..a6c02a4 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
@@ -217,5 +217,9 @@ void DXFGroupReader::ReadS()
     S = DXFReadLine(rIS);
 }
 
+sal_uInt64 DXFGroupReader::remainingSize() const
+{
+    return rIS.remainingSize();
+}
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.hxx 
b/filter/source/graphicfilter/idxf/dxfgrprd.hxx
index c936b33..09bbcd3 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.hxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.hxx
@@ -59,6 +59,7 @@ public:
         // This read must have returned a group code for datatype String.
         // If not NULL is returend
 
+    sal_uInt64 remainingSize() const;
 private:
 
     long   ReadI();

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to