[Libreoffice-commits] core.git: vcl/source

Wed, 25 Jan 2017 01:25:50 -0800 

 vcl/source/gdi/metaact.cxx      |    2 +-
 vcl/source/gdi/svmconverter.cxx |    9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

New commits:
commit f6c465bc8e7583a8321f5c881cb008b980e0e3fa
Author: Caolán McNamara <caol...@redhat.com>
Date:   Wed Jan 25 09:21:25 2017 +0000

    ofz#463 unable to mmap
    
    Change-Id: I509faeda019f42bbe7cdc5fc249f2ea2076bb702
    Reviewed-on: https://gerrit.libreoffice.org/33519
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index 15de163..3ef9692 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -1110,7 +1110,7 @@ MetaTextArrayAction::MetaTextArrayAction( const Point& 
rStartPt,
 {
     const sal_Int32 nAryLen = pDXAry ? mnLen : 0;
 
-    if( nAryLen )
+    if (nAryLen > 0)
     {
         mpDXAry.reset( new long[ nAryLen ] );
         memcpy( mpDXAry.get(), pDXAry, nAryLen * sizeof(long) );
diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx
index 2fba137..9d963f4 100644
--- a/vcl/source/gdi/svmconverter.cxx
+++ b/vcl/source/gdi/svmconverter.cxx
@@ -905,6 +905,15 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, 
GDIMetaFile& rMtf )
                     std::unique_ptr<long[]> pDXAry;
                     if (nAryLen > 0)
                     {
+                        const size_t nMinRecordSize = sizeof(sal_Int32);
+                        const size_t nMaxRecords = rIStm.remainingSize() / 
nMinRecordSize;
+                        if (static_cast<sal_uInt32>(nAryLen) > nMaxRecords)
+                        {
+                            SAL_WARN("vcl.gdi", "Parsing error: " << 
nMaxRecords <<
+                                     " max possible entries, but " << nAryLen 
<< " claimed, truncating");
+                            nAryLen = nMaxRecords;
+                        }
+
                         sal_Int32 nStrLen( aStr.getLength() );
 
                         pDXAry.reset(new long[ std::max( nAryLen, nStrLen ) ]);

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to