hwpfilter/source/hwpreader.cxx | 12 +-
lotuswordpro/source/filter/lwpdrawobj.cxx | 123 ++++++++++++++++--------------
2 files changed, 73 insertions(+), 62 deletions(-)
New commits:
commit 19e2c6c742b9a66dcc86f6344cedda667f847733
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Sun Mar 13 10:48:47 2022 +0000
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:48:21 2022 +0200
ofz#45524 string is presumed to be at least length 1
Change-Id: If8a86e399109b414cf53f6e2bffdd3c7c6faa490
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131468
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit eca150aeb9254a3c04d15be5a6278c2c65bf3fb0)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 24d7c6530615..5b367326caec 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1253,7 +1253,11 @@ void LwpDrawTextArt::Read()
-
(m_aTextArtRec.aPath[1].n*3 + 1)*4;
- if (!m_pStream->good() || m_aTextArtRec.nTextLen >
m_pStream->remainingSize())
+ if (!m_pStream->good())
+ throw BadRead();
+ if (m_aTextArtRec.nTextLen > m_pStream->remainingSize())
+ throw BadRead();
+ if (m_aTextArtRec.nTextLen < 1)
throw BadRead();
m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen];
commit 735be88f5f4e30d19de4b7d9b2ada4115bb2ebc5
Author: zhutyra <zhutyra>
AuthorDate: Tue Feb 1 13:54:55 2022 +0000
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:48:06 2022 +0200
read of width/height uses wrong record size
this initially went wrong at:
commit b4fb7a437bb0ce987702b12008737756623618ac
Date: Mon May 23 21:38:40 2011 +0100
fix up some more endian
LIBREOFFICE-SBQ5TJRS
Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129259
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 6694e3ea9c2f05a20245d94c5c1eda955cb3aacc)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index d4d4b7ff19f9..24d7c6530615 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1392,8 +1392,12 @@ void LwpDrawBitmap::Read()
if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
{
- m_pStream->ReadUInt32( aInfoHeader2.nWidth );
- m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+ sal_uInt16 nTmp;
+
+ m_pStream->ReadUInt16( nTmp );
+ aInfoHeader2.nWidth = nTmp;
+ m_pStream->ReadUInt16( nTmp );
+ aInfoHeader2.nHeight = nTmp;
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
commit e607dcc3074a908e19b315f176f1c8eb80de1e42
Author: zhutyra <zhutyra>
AuthorDate: Tue Feb 1 14:07:26 2022 +0000
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:46:36 2022 +0200
ensure bounds checking
LIBREOFFICE-SBQ5TJRS
Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index ec617fb24346..d4d4b7ff19f9 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1373,21 +1373,20 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
m_pStream->ReadUInt16( m_aBmpRec.nRotation );
+ // 20 == length of draw-specific fields.
if (m_aObjHeader.nRecLen < 20)
throw BadRead();
- // 20 == length of draw-specific fields.
- // 14 == length of bmp file header.
- m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+ sal_uInt64 nBmpPos = m_pStream->Tell();
+ sal_uInt64 nBmpLen =
+ std::min<sal_uInt64>(m_aObjHeader.nRecLen - 20,
m_pStream->remainingSize());
BmpInfoHeader2 aInfoHeader2;
m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
- if (!m_pStream->good())
+ if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
throw BadRead();
- m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
sal_uInt32 N;
sal_uInt32 rgbTableSize;
@@ -1411,7 +1410,7 @@ void LwpDrawBitmap::Read()
rgbTableSize = 3 * (1 << N);
}
}
- else
+ else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
{
m_pStream->ReadUInt32( aInfoHeader2.nWidth );
m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1430,9 +1429,15 @@ void LwpDrawBitmap::Read()
{
rgbTableSize = 4 * (1 << N);
}
-
+ }
+ else
+ {
+ throw BadRead();
}
+ m_aBmpRec.nFileSize = static_cast<sal_uInt32>(nBmpLen + 14);
+ m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
m_pImageData[0] = 'B';
m_pImageData[1] = 'M';
@@ -1449,50 +1454,10 @@ void LwpDrawBitmap::Read()
m_pImageData[12] = static_cast<sal_uInt8>(nOffBits >> 16);
m_pImageData[13] = static_cast<sal_uInt8>(nOffBits >> 24);
- sal_uInt32 nDIBRemaining;
sal_uInt8* pPicData = m_pImageData.get();
- if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
- {
- m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen);
- m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >>
8);
- m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >>
16);
- m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >>
24);
- m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth);
- m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8);
- m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nHeight);
- m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8);
- m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes);
- m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8);
- m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount);
- m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8);
-
- nDIBRemaining = m_aBmpRec.nFileSize - 26;
- pPicData += 26*sizeof(sal_uInt8);
- }
- else
- {
- m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen);
- m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >>
8);
- m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >>
16);
- m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >>
24);
- m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth);
- m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8);
- m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 16);
- m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 24);
- m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nHeight);
- m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8);
- m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 16);
- m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 24);
- m_pImageData[26] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes);
- m_pImageData[27] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8);
- m_pImageData[28] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount);
- m_pImageData[29] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8);
-
- nDIBRemaining = m_aBmpRec.nFileSize - 30;
- pPicData += 30*sizeof(sal_uInt8);
- }
- if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+ m_pStream->Seek(nBmpPos);
+ if (nBmpLen != m_pStream->ReadBytes(pPicData + 14, nBmpLen))
throw BadRead();
}
commit 87b129459bff648dd30fc238deb2d0b64468a83e
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Jan 13 16:57:48 2022 +0000
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:45:56 2022 +0200
ofz#43577 valid reclen must be >= 20
Change-Id: I454bff4acfcd85701a7f094a8bd76898825e9ce2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128388
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 444477a07bcaf59181dbbc719b913566091deadc)
ofz: Use-of-uninitialized-value
Change-Id: I6b768b80d972c5379005efecfb803463ca648b4b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128644
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 7b37a1a5144a3a4c8b0803b7e2da81e9e108bf66)
ofz: Undefined-Shift
Change-Id: Ib935359071ef9e390aa3d6c9713ed48241ad18e6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129066
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit e863b90a0e5fc90c3b824e4b0012f9389b87a3ac)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129183
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 7c8b41bc322720dc9434fbef1f10a6740913165e)
(cherry picked from commit afeb3af6b990e59e4e81f74d0a68d479fdfcc862)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index ae0fc5bb9c05..ec617fb24346 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1373,14 +1373,21 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
m_pStream->ReadUInt16( m_aBmpRec.nRotation );
+ if (m_aObjHeader.nRecLen < 20)
+ throw BadRead();
+
// 20 == length of draw-specific fields.
// 14 == length of bmp file header.
m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
- m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
BmpInfoHeader2 aInfoHeader2;
m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
+ if (!m_pStream->good())
+ throw BadRead();
+
+ m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
sal_uInt32 N;
sal_uInt32 rgbTableSize;
@@ -1395,7 +1402,7 @@ void LwpDrawBitmap::Read()
throw BadRead();
N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
- if (N == 24)
+ if (N >= 16)
{
rgbTableSize = 0;
}
@@ -1415,7 +1422,7 @@ void LwpDrawBitmap::Read()
throw BadRead();
N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
- if (N == 24)
+ if (N >= 16)
{
rgbTableSize = 0;
}
commit d2a3c3aa561b20cb1ed7a0c63be8426a26abba12
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Jan 17 10:48:12 2022 +0000
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:43:21 2022 +0200
ofz: Use-of-uninitialized-value
Change-Id: Ic5f41e4f1f6b20a8cd8887807296f33adb48b728
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128439
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit bb03203848ef1c30786ad084440b5d317a466127)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index a3fd862766d0..ae0fc5bb9c05 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1485,7 +1485,8 @@ void LwpDrawBitmap::Read()
pPicData += 30*sizeof(sal_uInt8);
}
- m_pStream->ReadBytes(pPicData, nDIBRemaining);
+ if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+ throw BadRead();
}
OUString LwpDrawBitmap::RegisterStyle()
commit 3d8222a5adc873e3ae40a1693896b75ebb3c88b8
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Wed Jan 26 11:57:13 2022 +0000
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:42:56 2022 +0200
ofz#44080 throw exception on a negative length
Change-Id: I3e2286cea69908fae3a2dd177d10fca2b7f0c877
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128956
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit af8709defeb90464c8724d3fe5fb8cbbf6efc2b8)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 4ffffb2fa536..a3fd862766d0 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1090,6 +1090,9 @@ XFFrame* LwpDrawTextBox::CreateDrawObj(const OUString&
rStyleName )
aEncoding = LwpCharSetMgr::GetTextCharEncoding();
}
+ if (TextLength < 2)
+ throw BadRead();
+
XFParagraph* pXFPara = new XFParagraph();
pXFPara->Add(OUString(reinterpret_cast<char*>(m_aTextRec.pTextString),
(TextLength-2), aEncoding));
pXFPara->SetStyleName(rStyleName);
commit 6be520c55f0ef104140c0b99de88918602ee7e5e
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Sun Jan 16 14:30:15 2022 +0000
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:41:39 2022 +0200
ofz: Use-of-uninitialized-value
Change-Id: Ib1c3b306573dda073f6ff3d7d0cc17aef39c0a0e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128436
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 7607a7e45a1da570dda0a4b96c08405086a647b6)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 0c2c97cde9b8..4ffffb2fa536 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -497,7 +497,7 @@ void LwpDrawPolyLine::Read()
m_pStream->ReadUChar( m_aPolyLineRec.aPenColor.unused );
m_pStream->ReadUInt16( m_aPolyLineRec.nNumPoints );
- if (m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4)
+ if (!m_pStream->good() || m_aPolyLineRec.nNumPoints >
m_pStream->remainingSize() / 4)
throw BadRead();
m_pVector.reset( new SdwPoint[m_aPolyLineRec.nNumPoints] );
@@ -577,7 +577,7 @@ void LwpDrawPolygon::Read()
ReadClosedObjStyle();
m_pStream->ReadUInt16( m_nNumPoints );
- if (m_nNumPoints > m_pStream->remainingSize() / 4)
+ if (!m_pStream->good() || m_nNumPoints > m_pStream->remainingSize() / 4)
throw BadRead();
m_pVector.reset( new SdwPoint[m_nNumPoints] );
@@ -1041,6 +1041,9 @@ void LwpDrawTextBox::Read()
m_pStream->ReadInt16( m_aTextRec.nTextRotation );
m_pStream->ReadInt16( m_aTextRec.nTextExtraSpacing );
+ if (!m_pStream->good())
+ throw BadRead();
+
// some draw files in version 1.2 have an extra byte following '\0'.
// can't rely on that, so read in the whole string into memory.
@@ -1192,17 +1195,17 @@ void LwpDrawTextArt::Read()
m_pStream->ReadInt16( m_aTextArtRec.nRotation );
sal_uInt16 nPointNumber;
- sal_Int16 nX, nY;
m_pStream->ReadUInt16( nPointNumber );
size_t nPoints = nPointNumber*3+1;
- if (nPoints > m_pStream->remainingSize() / 4)
+ if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4)
throw BadRead();
m_aTextArtRec.aPath[0].n = nPointNumber;
m_aTextArtRec.aPath[0].pPts = new SdwPoint[nPoints];
for (size_t nPt = 0; nPt < nPoints; ++nPt)
{
+ sal_Int16 nX, nY;
m_pStream->ReadInt16( nX );
m_pStream->ReadInt16( nY );
m_aTextArtRec.aPath[0].pPts[nPt].x = nX;
@@ -1212,13 +1215,14 @@ void LwpDrawTextArt::Read()
m_pStream->ReadUInt16( nPointNumber );
nPoints = nPointNumber*3+1;
- if (nPoints > m_pStream->remainingSize() / 4)
+ if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4)
throw BadRead();
m_aTextArtRec.aPath[1].n = nPointNumber;
m_aTextArtRec.aPath[1].pPts = new SdwPoint[nPoints];
for (size_t nPt = 0; nPt < nPoints; ++nPt)
{
+ sal_Int16 nX, nY;
m_pStream->ReadInt16( nX );
m_pStream->ReadInt16( nY );
m_aTextArtRec.aPath[1].pPts[nPt].x = nX;
@@ -1246,7 +1250,7 @@ void LwpDrawTextArt::Read()
-
(m_aTextArtRec.aPath[1].n*3 + 1)*4;
- if (m_aTextArtRec.nTextLen > m_pStream->remainingSize())
+ if (!m_pStream->good() || m_aTextArtRec.nTextLen >
m_pStream->remainingSize())
throw BadRead();
m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen];
@@ -1384,7 +1388,7 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
- if (!IsValid(aInfoHeader2))
+ if (!m_pStream->good() || !IsValid(aInfoHeader2))
throw BadRead();
N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
@@ -1404,7 +1408,7 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
- if (!IsValid(aInfoHeader2))
+ if (!m_pStream->good() || !IsValid(aInfoHeader2))
throw BadRead();
N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
commit b3f8a72f17fd63fbdc40a28d366753000d399f2f
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Sun Jan 9 16:07:32 2022 +0000
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:40:56 2022 +0200
ofz#43446 Undefined-shift
Change-Id: Ibe3485983ecf764ca8b8e667b470c6b210b6d2d4
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128192
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 27e9de358b4afc6a89b09c173316cee0abfb471d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128234
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit fb5fe960e4d50176c754ae2d10ce53c3c3da82a1)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 88f25d9a78e9..0c2c97cde9b8 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1342,6 +1342,22 @@ LwpDrawBitmap::~LwpDrawBitmap()
{
}
+static bool IsValid(const BmpInfoHeader2& rHeader)
+{
+ if (rHeader.nPlanes != 1)
+ return false;
+
+ if (rHeader.nBitCount != 0 && rHeader.nBitCount != 1 &&
+ rHeader.nBitCount != 4 && rHeader.nBitCount != 8 &&
+ rHeader.nBitCount != 16 && rHeader.nBitCount != 24 &&
+ rHeader.nBitCount != 32)
+ {
+ return false;
+ }
+
+ return true;
+}
+
/**
* @descr reading function of class LwpDrawBitmap
*/
@@ -1368,6 +1384,9 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
+ if (!IsValid(aInfoHeader2))
+ throw BadRead();
+
N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
if (N == 24)
{
@@ -1384,6 +1403,10 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt32( aInfoHeader2.nHeight );
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
+
+ if (!IsValid(aInfoHeader2))
+ throw BadRead();
+
N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
if (N == 24)
{
commit e351b233c3b60e3eea7899ca5b607d94bbf86d19
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Apr 26 16:51:01 2022 +0100
Commit: Aron Budea <aron.bu...@collabora.com>
CommitDate: Wed Aug 10 22:34:58 2022 +0200
ofz#47042 previous use of static variable affecting later runs
Change-Id: I64fb184e43fb025798781c85c9a0a8e0354b21b0
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/133453
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit 24c7741adcb373b4de508b16deef56343119df26)
diff --git a/hwpfilter/source/hwpreader.cxx b/hwpfilter/source/hwpreader.cxx
index 4cf69e28603f..4cfa65356c4b 100644
--- a/hwpfilter/source/hwpreader.cxx
+++ b/hwpfilter/source/hwpreader.cxx
@@ -71,7 +71,6 @@
rendEl("text:span"); \
tstart = false
-static hchar *field = nullptr;
static char buf[1024];
namespace
@@ -97,12 +96,13 @@ struct HwpReaderPrivate
bInHeader = false;
nPnPos = 0;
pPn = nullptr;
-
+ pField = nullptr;
}
bool bFirstPara;
bool bInBody;
bool bInHeader;
ShowPageNum *pPn;
+ hchar *pField;
int nPnPos;
};
@@ -2961,7 +2961,7 @@ void HwpReader::make_text_p3(HWPPara * para,bool
bParaStart)
firstspace = 1;
if( hbox->type[0] == 4 && hbox->type[1] == 0 )
{
- field = hbox->str3.get();
+ d->pField = hbox->str3.get();
}
else{
makeFieldCode(str, hbox);
@@ -2974,7 +2974,7 @@ void HwpReader::make_text_p3(HWPPara * para,bool
bParaStart)
if( hbox->type[0] == 4 && hbox->type[1] == 0 )
{
makeFieldCode(str, hbox);
- field = nullptr;
+ d->pField = nullptr;
}
infield = false;
str.clear();
@@ -3142,8 +3142,8 @@ void HwpReader::makeFieldCode(hchar_string const & rStr,
FieldCode const *hbox)
if( hbox->type[0] == 4 && hbox->type[1] == 0 )
{
padd("text:placeholder-type", sXML_CDATA, "text");
- if( field )
- padd("text:description", sXML_CDATA,
fromHcharStringToOUString(hstr2ucsstr(field)));
+ if (d->pField)
+ padd("text:description", sXML_CDATA,
fromHcharStringToOUString(hstr2ucsstr(d->pField)));
rstartEl( "text:placeholder", mxList.get());
mxList->clear();
rchars( fromHcharStringToOUString(rStr) );
