filter/source/graphicfilter/icgm/actimpr.cxx | 2 +-
filter/source/graphicfilter/icgm/class4.cxx | 25 ++++++++++++++++---------
2 files changed, 17 insertions(+), 10 deletions(-)
New commits:
commit fb05611064e12c8eda09bc32c42544cde8c2ab49
Author: Caolán McNamara <caol...@redhat.com>
Date: Sun Apr 2 11:31:10 2017 +0100
ofz: check bounds on read
Change-Id: I07779bec876b90e36f20a81d6dbf06ae727edf85
diff --git a/filter/source/graphicfilter/icgm/class4.cxx
b/filter/source/graphicfilter/icgm/class4.cxx
index c74333123c6b..d8397a26395c 100644
--- a/filter/source/graphicfilter/icgm/class4.cxx
+++ b/filter/source/graphicfilter/icgm/class4.cxx
@@ -178,15 +178,18 @@ void CGM::ImplDoClass4()
case 0x04 : /*Text*/
{
FloatPoint aFloatPoint;
- sal_uInt32 nType, nSize;
if ( mbFigure )
mpOutAct->CloseRegion();
ImplGetPoint ( aFloatPoint, true );
- nType = ImplGetUI16( 4 );
- nSize = ImplGetUI( 1 );
- mpSource[ mnParaSize + nSize ] = 0;
+ sal_uInt32 nType = ImplGetUI16( 4 );
+ sal_uInt32 nSize = ImplGetUI( 1 );
+
+ if (mpSource + mnParaSize + nSize > mpEndValidSource)
+ throw css::uno::Exception("attempt to read past end of
input", nullptr);
+
+ mpSource[mnParaSize + nSize] = 0;
awt::Size aSize;
awt::Point aPoint( (long)aFloatPoint.X, (long)aFloatPoint.Y );
@@ -200,7 +203,6 @@ void CGM::ImplDoClass4()
{
double dx, dy;
FloatPoint aFloatPoint;
- sal_uInt32 nType, nSize;
if ( mbFigure )
mpOutAct->CloseRegion();
@@ -219,8 +221,11 @@ void CGM::ImplDoClass4()
ImplMapDouble( dy );
ImplGetPoint ( aFloatPoint, true );
- nType = ImplGetUI16( 4 );
- nSize = ImplGetUI( 1 );
+ sal_uInt32 nType = ImplGetUI16(4);
+ sal_uInt32 nSize = ImplGetUI(1);
+
+ if (mpSource + mnParaSize + nSize > mpEndValidSource)
+ throw css::uno::Exception("attempt to read past end of
input", nullptr);
mpSource[ mnParaSize + nSize ] = 0;
@@ -234,10 +239,12 @@ void CGM::ImplDoClass4()
case 0x06 : /*Append Text*/
{
- sal_uInt32 nSize;
sal_uInt32 nType = ImplGetUI16( 4 );
+ sal_uInt32 nSize = ImplGetUI( 1 );
+
+ if (mpSource + mnParaSize + nSize > mpEndValidSource)
+ throw css::uno::Exception("attempt to read past end of
input", nullptr);
- nSize = ImplGetUI( 1 );
mpSource[ mnParaSize + nSize ] = 0;
mpOutAct->AppendText( reinterpret_cast<char*>(mpSource) +
mnParaSize, nSize, (FinalFlag)nType );
commit 647ff1add92a4d6473515462d4e5939b99b76d27
Author: Caolán McNamara <caol...@redhat.com>
Date: Sun Apr 2 01:58:25 2017 +0100
ofz: use safer ctor
Change-Id: I23d23a73442a22ecced0c0287b42a7c667ebfa7e
diff --git a/filter/source/graphicfilter/icgm/actimpr.cxx
b/filter/source/graphicfilter/icgm/actimpr.cxx
index 0a63a8ea15dc..6d7b1364b22b 100644
--- a/filter/source/graphicfilter/icgm/actimpr.cxx
+++ b/filter/source/graphicfilter/icgm/actimpr.cxx
@@ -805,7 +805,7 @@ void CGMImpressOutAct::DrawText( awt::Point& rTextPos,
awt::Size& rTextSize, cha
uno::Any aFirstQuery( maXShape->queryInterface(
cppu::UnoType<text::XText>::get()));
if( aFirstQuery >>= xText )
{
- OUString aStr( OUString::createFromAscii( pString ) );
+ OUString aStr(pString, rtl_str_getLength(pString),
RTL_TEXTENCODING_ASCII_US);
uno::Reference< text::XTextCursor > aXTextCursor(
xText->createTextCursor() );
{
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
