core.git: 2 commits - filter/source tools/source

[Caolán McNamara (via logerrit)]

 filter/source/msfilter/svdfppt.cxx |    8 +++++++-
 tools/source/generic/poly2.cxx     |    9 +++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

New commits:
commit 52154481792ef739e7653fd6a2919349eac0f23f
Author:     Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Fri Oct 10 21:37:09 2025 +0100
Commit:     Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Sat Oct 11 15:16:28 2025 +0200

    ofz Use-of-uninitialized-value
    
    Change-Id: I6a80b3e16f904d50e72c03bab25164e03f192a21
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/192185
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>

diff --git a/filter/source/msfilter/svdfppt.cxx 
b/filter/source/msfilter/svdfppt.cxx
index b6b8365f50cc..3f21eea2d14f 100644
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -1778,7 +1778,13 @@ static bool SdrPowerPointOLEDecompress( SvStream& 
rOutput, SvStream& rInput, sal
 {
     sal_uInt64 nOldPos = rInput.Tell();
     std::unique_ptr<char[]> pBuf(new char[ nInputSize ]);
-    rInput.ReadBytes(pBuf.get(), nInputSize);
+    auto nRead = rInput.ReadBytes(pBuf.get(), nInputSize);
+    if (nRead < nInputSize)
+    {
+        SAL_WARN("filter.ms", "Parsing error: " << nInputSize <<
+                 " bytes wanted, but " << nRead << " available");
+        nInputSize = nRead;
+    }
     ZCodec aZCodec( 0x8000, 0x8000 );
     aZCodec.BeginCompression();
     SvMemoryStream aSource( pBuf.get(), nInputSize, StreamMode::READ );
commit 293a41d2c042498b91b2001d1814a165f03857de
Author:     Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Fri Oct 10 21:22:54 2025 +0100
Commit:     Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Sat Oct 11 15:16:20 2025 +0200

    ofz#446998346 Direct-leak
    
    Direct leak of 392 byte(s) in 1 object(s) allocated from:
      #0 0x5cc5b75ab144 in ___interceptor_malloc 
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:67:3
      #1 0x5cc5ba1b928a in _cairo_image_surface_create_for_pixman_image 
/work/workdir/UnpackedTarball/cairo/src/cairo-image-surface.c:191:15
      #2 0x5cc5ba1b928a in _cairo_image_surface_create_with_pixman_format 
/work/workdir/UnpackedTarball/cairo/src/cairo-image-surface.c:370:15
      #3 0x5cc5ba200f40 in cairo_surface_create_similar_image 
/work/workdir/UnpackedTarball/cairo/src/cairo-surface.c:598:10
      #4 0x5cc5b8b16a5c in createTmpCompatibleCairoContext 
/src/libreoffice/vcl/headless/CairoCommon.cxx:621:31
      #5 0x5cc5b8b16a5c in CairoCommon::getCairoContext(bool, bool) const 
/src/libreoffice/vcl/headless/CairoCommon.cxx:432:14
      #6 0x5cc5b8b1a473 in CairoCommon::drawPolyPolygon(basegfx::B2DHomMatrix 
const&, basegfx::B2DPolyPolygon const&, double, bool) 
/src/libreoffice/vcl/headless/CairoCommon.cxx:959:19
      #7 0x5cc5b8558575 in SalGraphics::DrawPolyPolygon(basegfx::B2DHomMatrix 
const&, basegfx::B2DPolyPolygon const&, double, OutputDevice const&) 
/src/libreoffice/vcl/source/gdi/salgdilayout.cxx:499:5
      #8 0x5cc5b81c0ece in 
OutputDevice::DrawTransparentNatively(tools::PolyPolygon const&, unsigned 
short) /src/libreoffice/vcl/source/outdev/transparent.cxx:230:25
      #9 0x5cc5b81c0794 in OutputDevice::DrawTransparent(tools::PolyPolygon 
const&, unsigned short) 
/src/libreoffice/vcl/source/outdev/transparent.cxx:460:14
      #10 0x5cc5b83629c0 in GDIMetaFile::Play(OutputDevice&, unsigned long) 
/src/libreoffice/vcl/source/gdi/gdimtf.cxx:374:26
    
    this happens because once a cairo context enters an error state no
    functions have an effort on the cairo context.
    
    The error is CAIRO_STATUS_INVALID_MATRIX and the matrix derived
    from the polypolygon is degenerate.
    
    The polypolygon contains a polygon with 0 points, which looks invalid,
    detect that at import boundary rather than mess around with duplicating
    with some with cairo_matrix_invert the invalid matrix at use location.
    
    Change-Id: I3f6a53de3d2638146f969a6f0997c1a58f1669c3
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/192184
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>

diff --git a/tools/source/generic/poly2.cxx b/tools/source/generic/poly2.cxx
index 9ce0a042e4cd..586f1ce2d4d7 100644
--- a/tools/source/generic/poly2.cxx
+++ b/tools/source/generic/poly2.cxx
@@ -401,13 +401,18 @@ SvStream& ReadPolyPolygon( SvStream& rIStream, 
tools::PolyPolygon& rPolyPoly )
 
     if( nPolyCount )
     {
-        rPolyPoly.mpImplPolyPolygon->mvPolyAry.resize(nPolyCount);
+        rPolyPoly.mpImplPolyPolygon->mvPolyAry.reserve(nPolyCount);
 
         tools::Polygon aTempPoly;
         for ( sal_uInt16 i = 0; i < nPolyCount; i++ )
         {
             ReadPolygon( rIStream, aTempPoly );
-            rPolyPoly.mpImplPolyPolygon->mvPolyAry[i] = aTempPoly;
+            if (aTempPoly.GetSize() == 0)
+            {
+                SAL_WARN("tools", "Parsing error: polygon with 0 points, 
ignoring");
+                continue;
+            }
+            rPolyPoly.mpImplPolyPolygon->mvPolyAry.push_back(aTempPoly);
         }
     }
     else