source

Caolán McNamara (via logerrit) Mon, 27 Oct 2025 12:23:46 -0700

 svx/source/svdraw/svdpdf.cxx |   19 +++++++++++++++++++
 vcl/source/gdi/metaact.cxx   |    3 +++
 2 files changed, 22 insertions(+)


New commits:
commit 2f46ae472fef359a778db9d786e866400b6e3327
Author:     Caolán McNamara <[email protected]>
AuthorDate: Mon Oct 27 16:33:33 2025 +0000
Commit:     Caolán McNamara <[email protected]>
CommitDate: Mon Oct 27 20:23:25 2025 +0100

    ofz#455510770 Integer-overflow
    
    Change-Id: Ie5f0ed9f0a0a5112071b9a3c147b6f070ba4e7f7
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193046
    Reviewed-by: Caolán McNamara <[email protected]>
    Tested-by: Jenkins

diff --git a/svx/source/svdraw/svdpdf.cxx b/svx/source/svdraw/svdpdf.cxx
index 2e1909bfb1bb..3b60fcb9c926 100644
--- a/svx/source/svdraw/svdpdf.cxx
+++ b/svx/source/svdraw/svdpdf.cxx
@@ -1881,6 +1881,23 @@ Color 
ImpSdrPdfImport::getFillColor(std::unique_ptr<vcl::pdf::PDFiumPageObject>
     return pPageObject->getFillColor();
 }
 
+static bool AllowDim(tools::Long nDim)
+{
+    if (nDim > 0x20000000 || nDim < -0x20000000)
+    {
+        SAL_WARN("sd.filter", "skipping huge dimension: " << nDim);
+        return false;
+    }
+    return true;
+}
+
+static bool AllowPoint(const Point& rPoint) { return AllowDim(rPoint.X()) && 
AllowDim(rPoint.Y()); }
+
+static bool AllowRect(const tools::Rectangle& rRect)
+{
+    return AllowPoint(rRect.TopLeft()) && AllowPoint(rRect.BottomRight());
+}
+
 void ImpSdrPdfImport::ImportText(std::unique_ptr<vcl::pdf::PDFiumPageObject> 
const& pPageObject,
                                  std::unique_ptr<vcl::pdf::PDFiumPage> const& 
pPage,
                                  std::unique_ptr<vcl::pdf::PDFiumTextPage> 
const& pTextPage,
@@ -1902,6 +1919,8 @@ void 
ImpSdrPdfImport::ImportText(std::unique_ptr<vcl::pdf::PDFiumPageObject> con
 
     const tools::Rectangle aRect = PointsToLogic(aTextRect.getMinX(), 
aTextRect.getMaxX(),
                                                  aTextRect.getMinY(), 
aTextRect.getMaxY());
+    if (!AllowRect(aRect))
+        return;
 
     OUString sText = pPageObject->getText(pTextPage);
 
commit 3db9617d584f790d4d94adc26cdcef9dea9bcdde
Author:     Caolán McNamara <[email protected]>
AuthorDate: Mon Oct 27 16:21:05 2025 +0000
Commit:     Caolán McNamara <[email protected]>
CommitDate: Mon Oct 27 20:23:17 2025 +0100

    ofz#455497781 Integer-overflow
    
    Change-Id: I956e4c6b531b19a709b7e81cf40d41a2619f918b
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193045
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <[email protected]>

diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index 93717287fb40..f6c48b02ab09 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -521,6 +521,9 @@ MetaPolyPolygonAction::MetaPolyPolygonAction( 
tools::PolyPolygon aPolyPoly ) :
 
 void MetaPolyPolygonAction::Execute( OutputDevice* pOut )
 {
+    if (!AllowRect(pOut->LogicToPixel(maPolyPoly.GetBoundRect())))
+        return;
+
     pOut->DrawPolyPolygon( maPolyPoly );
 }

core.git: 2 commits - svx/source vcl/source

Reply via email to