[Libreoffice-commits] core.git: vcl/qa vcl/source

Thu, 05 Jun 2014 08:38:05 -0700 

 dev/null                                                       |binary
 vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1238-1.wmf |binary
 vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1245-1.wmf |binary
 vcl/source/filter/wmf/winwmf.cxx                               |   18 
++++++----
 4 files changed, 12 insertions(+), 6 deletions(-)

New commits:
commit 90f0af7a9cabcfe9006608b3444a54ef6ff340f5
Author: Stephan Bergmann <sberg...@redhat.com>
Date:   Thu Jun 5 17:36:52 2014 +0200

    WMF record size < 3 is clearly broken
    
    ...so we should not attempt to (mis-)interpret such broken input.
    
    Change-Id: I97f4f46fdfc0dfe6f9aff42917d23634b844c7f0

diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1238-1.wmf 
b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1238-1.wmf
similarity index 100%
rename from vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1238-1.wmf
rename to vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1238-1.wmf
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1245-1.wmf 
b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1245-1.wmf
similarity index 100%
rename from vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1245-1.wmf
rename to vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1245-1.wmf
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index 4c2c95c..8079263 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -1377,13 +1377,19 @@ bool WMFReader::GetPlaceableBound( Rectangle& 
rPlaceableBound, SvStream* pStm )
         {
             pStm->ReadUInt32( nRSize ).ReadUInt16( nFunction );
 
-            if( pStm->GetError() || ( nRSize < 3 ) || ( nRSize==3 && 
nFunction==0 ) || pStm->IsEof() )
+            if( pStm->GetError() )
             {
-                if( pStm->IsEof() )
-                {
-                    pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
-                    bRet = false;
-                }
+                bRet = false;
+                break;
+            }
+            else if ( nRSize==3 && nFunction==0 )
+            {
+                break;
+            }
+            else if ( nRSize < 3 || pStm->IsEof() )
+            {
+                pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                bRet = false;
                 break;
             }
             switch( nFunction )
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to