[Libreoffice-commits] core.git: filter/source

Fri, 17 Nov 2017 08:23:52 -0800 

 filter/source/graphicfilter/icgm/class7.cxx |   18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

New commits:
commit 9aa68d323cac29ac37e9d6fee4795ba2e361e5a8
Author: Caolán McNamara <caol...@redhat.com>
Date:   Mon Nov 13 16:03:28 2017 +0000

    ofz#4204 compare against available data len
    
    Change-Id: I407e104e08aa393d66ed5c6baf5e0b0ab2d361bd
    Reviewed-on: https://gerrit.libreoffice.org/44687
    Tested-by: Jenkins <c...@libreoffice.org>
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Tested-by: Caolán McNamara <caol...@redhat.com>

diff --git a/filter/source/graphicfilter/icgm/class7.cxx 
b/filter/source/graphicfilter/icgm/class7.cxx
index 67888f819247..1e56cf544f86 100644
--- a/filter/source/graphicfilter/icgm/class7.cxx
+++ b/filter/source/graphicfilter/icgm/class7.cxx
@@ -30,16 +30,23 @@ void CGM::ImplDoClass7()
         case 0x01 : /*Message */break;
         case 0x02 :
         {
-            sal_uInt8*  pAppData = mpSource + 12;
+            if (mpEndValidSource - mpSource < 12)
+                throw css::uno::Exception("attempt to read past end of input", 
nullptr);
+
             sal_uInt16* pTemp = reinterpret_cast<sal_uInt16*>(mpSource);
             sal_uInt16 nOpcode = pTemp[ 4 ];
 
+            sal_uInt8* pAppData = mpSource + 12;
+
             if ( mpChart || ( nOpcode == 0 ) )
             {
                 switch ( nOpcode )
                 {
                     case 0x000 : /*AppData - Beginning of File Opcodes*/
                     {
+                        if (mpEndValidSource - pAppData < 4)
+                            throw css::uno::Exception("attempt to read past 
end of input", nullptr);
+
                         if ( mpChart == nullptr )
                             mpChart = new CGMChart;
                         mpChart->mnCurrentFileType = pAppData[ 3 ];
@@ -68,6 +75,9 @@ void CGM::ImplDoClass7()
                     case 0x262 : /*AppData - ENDGROUP */break;
                     case 0x264 : /*AppData - DATANODE*/
                     {
+                        if (static_cast<size_t>(mpEndValidSource - pAppData) < 
sizeof(DataNode))
+                            throw css::uno::Exception("attempt to read past 
end of input", nullptr);
+
                         mpChart->mDataNode[ 0 ] = 
*reinterpret_cast<DataNode*>( pAppData );
                         sal_Int8 nZoneEnum = mpChart->mDataNode[ 0 ].nZoneEnum;
                         if ( nZoneEnum && ( nZoneEnum <= 6 ) )
@@ -76,6 +86,9 @@ void CGM::ImplDoClass7()
                     break;
                     case 0x2BE : /*AppData - SHWSLIDEREC*/
                     {
+                        if (mpEndValidSource - pAppData < 16)
+                            throw css::uno::Exception("attempt to read past 
end of input", nullptr);
+
                         if ( pAppData[ 16 ] == 0 )      // a blank template ?
                         {
                             if ( pAppData[ 2 ] == 46 )
@@ -101,6 +114,9 @@ void CGM::ImplDoClass7()
                     case 0x2CA : /*AppData - SHWAPP */break;
                     case 0x320 : /*AppData - TEXT*/
                     {
+                        if (mpEndValidSource - pAppData < 9)
+                            throw css::uno::Exception("attempt to read past 
end of input", nullptr);
+
                         TextEntry* pTextEntry = new TextEntry;
                         pTextEntry->nTypeOfText = 
*reinterpret_cast<sal_uInt16*>( pAppData );
                         pTextEntry->nRowOrLineNum = 
*reinterpret_cast<sal_uInt16*>( pAppData + 2 );

_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to