emfio/source/reader/emfreader.cxx | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
New commits:
commit 5cfbc855141a7f5c5583aadc8ef8541ed582d139
Author: Caolán McNamara <caol...@redhat.com>
Date: Sat Nov 18 15:21:58 2017 +0000
ofz#4318 Integer-overflow
Change-Id: I7ad1f39d82e44e4fa8dd78700b25deea0c19c81a
Reviewed-on: https://gerrit.libreoffice.org/44913
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
diff --git a/emfio/source/reader/emfreader.cxx
b/emfio/source/reader/emfreader.cxx
index 6ee222d427cb..e4f89420b930 100644
--- a/emfio/source/reader/emfreader.cxx
+++ b/emfio/source/reader/emfreader.cxx
@@ -1259,12 +1259,15 @@ namespace emfio
mpInputStream->ReadUInt32( BkColorSrc ).ReadUInt32(
iUsageSrc ).ReadUInt32( offBmiSrc ).ReadUInt32( cbBmiSrc )
.ReadUInt32( offBitsSrc ).ReadUInt32(
cbBitsSrc ).ReadInt32( cxSrc ).ReadInt32( cySrc ) ;
- tools::Rectangle aRect( Point( xDest, yDest ), Size(
cxDest+1, cyDest+1 ) );
-
- if ( (cbBitsSrc > (SAL_MAX_UINT32 - 14)) ||
((SAL_MAX_UINT32 - 14) - cbBitsSrc < cbBmiSrc) )
+ if ( (cbBitsSrc > (SAL_MAX_UINT32 - 14)) ||
((SAL_MAX_UINT32 - 14) - cbBitsSrc < cbBmiSrc) ||
+ cxDest == SAL_MAX_INT32 || cyDest ==
SAL_MAX_INT32 )
+ {
bStatus = false;
+ }
else
{
+ tools::Rectangle aRect(Point(xDest, yDest),
Size(cxDest + 1, cyDest + 1));
+
const sal_uInt32 nSourceSize = cbBmiSrc +
cbBitsSrc + 14;
bool bSafeRead = nSourceSize <= (mnEndPos -
mnStartPos);
sal_uInt32 nDeltaToDIB5HeaderSize(0);
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
