vcl/source/filter/svm/SvmReader.cxx | 38 ++++++++++++++++++++----------------
1 file changed, 22 insertions(+), 16 deletions(-)
New commits:
commit fb41deb8b86a48d9dbfbd2e65ee342e39a94f4d9
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Fri Aug 6 09:24:06 2021 +0100
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Fri Aug 6 11:54:43 2021 +0200
cid#1487034 Untrusted value as argument
Change-Id: I7f50e8b1676d36a3675657d160c10196c08c26d4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/120102
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/vcl/source/filter/svm/SvmReader.cxx
b/vcl/source/filter/svm/SvmReader.cxx
index bee25f2f1e43..311a43fc8f50 100644
--- a/vcl/source/filter/svm/SvmReader.cxx
+++ b/vcl/source/filter/svm/SvmReader.cxx
@@ -655,19 +655,25 @@ rtl::Reference<MetaAction>
SvmReader::TextHandler(ImplMetaReadData* pData)
mrStream.ReadUInt16(nTmpLen);
pAction->SetPoint(aPoint);
- pAction->SetIndex(nTmpIndex);
- pAction->SetLen(nTmpLen);
if (aCompat.GetVersion() >= 2) // Version 2
aStr = read_uInt16_lenPrefixed_uInt16s_ToOUString(mrStream);
- if (nTmpIndex + nTmpLen > aStr.getLength())
+ if (nTmpIndex > aStr.getLength())
{
- SAL_WARN("vcl.gdi", "inconsistent offset and len");
- pAction->SetIndex(0);
- pAction->SetLen(aStr.getLength());
+ SAL_WARN("vcl.gdi", "inconsistent offset");
+ nTmpIndex = aStr.getLength();
}
+ if (nTmpLen > aStr.getLength() - nTmpIndex)
+ {
+ SAL_WARN("vcl.gdi", "inconsistent len");
+ nTmpLen = aStr.getLength() - nTmpIndex;
+ }
+
+ pAction->SetIndex(nTmpIndex);
+ pAction->SetLen(nTmpLen);
+
pAction->SetText(aStr);
return pAction;
@@ -692,16 +698,14 @@ rtl::Reference<MetaAction>
SvmReader::TextArrayHandler(ImplMetaReadData* pData)
sal_uInt16 nTmpIndex(0);
mrStream.ReadUInt16(nTmpIndex);
- pAction->SetIndex(nTmpIndex);
sal_uInt16 nTmpLen(0);
mrStream.ReadUInt16(nTmpLen);
- pAction->SetLen(nTmpLen);
sal_Int32 nAryLen(0);
mrStream.ReadInt32(nAryLen);
- if (nTmpIndex + nTmpLen > aStr.getLength())
+ if (nTmpLen > aStr.getLength() - nTmpIndex)
{
SAL_WARN("vcl.gdi", "inconsistent offset and len");
pAction->SetIndex(0);
@@ -709,6 +713,9 @@ rtl::Reference<MetaAction>
SvmReader::TextArrayHandler(ImplMetaReadData* pData)
return pAction;
}
+ pAction->SetIndex(nTmpIndex);
+ pAction->SetLen(nTmpLen);
+
if (nAryLen)
{
// #i9762#, #106172# Ensure that DX array is at least mnLen entries
long
@@ -740,7 +747,7 @@ rtl::Reference<MetaAction>
SvmReader::TextArrayHandler(ImplMetaReadData* pData)
aStr = read_uInt16_lenPrefixed_uInt16s_ToOUString(mrStream);
pAction->SetText(aStr);
- if (nTmpIndex + nTmpLen > aStr.getLength())
+ if (nTmpLen > aStr.getLength() - nTmpIndex)
{
SAL_WARN("vcl.gdi", "inconsistent offset and len");
pAction->SetIndex(0);
@@ -795,7 +802,7 @@ rtl::Reference<MetaAction>
SvmReader::TextRectHandler(ImplMetaReadData* pData)
aSerializer.readRectangle(aRect);
OUString aStr;
aStr = mrStream.ReadUniOrByteString(pData->meActualCharSet);
- sal_uInt16 nTmp;
+ sal_uInt16 nTmp(0);
mrStream.ReadUInt16(nTmp);
pAction->SetRect(aRect);
@@ -1219,9 +1226,8 @@ rtl::Reference<MetaAction> SvmReader::TextAlignHandler()
{
rtl::Reference<MetaTextAlignAction> pAction(new MetaTextAlignAction);
- sal_uInt16 nTmp16(0);
-
VersionCompatRead aCompat(mrStream);
+ sal_uInt16 nTmp16(0);
mrStream.ReadUInt16(nTmp16);
pAction->SetTextAlign(static_cast<TextAlign>(nTmp16));
@@ -1264,10 +1270,10 @@ rtl::Reference<MetaAction> SvmReader::PushHandler()
rtl::Reference<MetaPushAction> pAction(new MetaPushAction);
VersionCompatRead aCompat(mrStream);
- sal_uInt16 tmp;
- mrStream.ReadUInt16(tmp);
+ sal_uInt16 nTmp(0);
+ mrStream.ReadUInt16(nTmp);
- pAction->SetPushFlags(static_cast<PushFlags>(tmp));
+ pAction->SetPushFlags(static_cast<PushFlags>(nTmp));
return pAction;
}
