vcl/source/gdi/svmconverter.cxx | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
New commits:
commit 473efc7a879aa5762dc87a0f3b80aa0f1fe31313
Author: Caolán McNamara <caol...@redhat.com>
Date: Sat Mar 11 20:42:58 2017 +0000
ofz: test if comment data is available before alloc
Change-Id: I0d2cdae6a825fc74d08c55353f48f64021542be4
diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx
index 2e08f1a..2cadb22 100644
--- a/vcl/source/gdi/svmconverter.cxx
+++ b/vcl/source/gdi/svmconverter.cxx
@@ -1404,21 +1404,27 @@ void SVMConverter::ImplConvertFromSVM1( SvStream&
rIStm, GDIMetaFile& rMtf )
case GDI_COMMENT_COMMENT:
{
- sal_Int32 nValue;
- sal_uInt32 nDataSize;
std::vector<sal_uInt8> aData;
- sal_Int32 nFollowingActionCount;
OString aComment =
read_uInt16_lenPrefixed_uInt8s_ToOString(rIStm);
- rIStm.ReadInt32( nValue ).ReadUInt32( nDataSize );
+ sal_Int32 nValue(0);
+ sal_uInt32 nDataSize(0);
+ rIStm.ReadInt32(nValue).ReadUInt32(nDataSize);
if (nDataSize)
{
+ const size_t nMaxPossibleData = rIStm.remainingSize();
+ if (nDataSize > nMaxPossibleActions)
+ {
+ SAL_WARN("vcl.gdi", "svm record claims to have: " <<
nDataSize << " data, but only " << nMaxPossibleData << " possible");
+ nDataSize = nMaxPossibleActions;
+ }
aData.resize(nDataSize);
nDataSize = rIStm.ReadBytes(aData.data(), nDataSize);
}
- rIStm.ReadInt32( nFollowingActionCount );
+ sal_Int32 nFollowingActionCount(0);
+ rIStm.ReadInt32(nFollowingActionCount);
ImplSkipActions( rIStm, nFollowingActionCount );
rMtf.AddAction(new MetaCommentAction(aComment, nValue,
aData.data(), nDataSize));
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
