[Libreoffice-commits] .: 2 commits - svtools/qa svtools/source

Caolán McNamara caolan at kemper.freedesktop.org
Wed Jul 6 05:42:26 PDT 2011 

 svtools/qa/cppunit/data/wmf/fail/CVE-2005-2124-1.wmf |binary
 svtools/qa/cppunit/data/wmf/fail/CVE-2006-0143-1.wmf |binary
 svtools/qa/cppunit/data/wmf/fail/CVE-2006-0143-2.wmf |binary
 svtools/qa/cppunit/data/wmf/pass/CVE-2005-2123-1.wmf |binary
 svtools/qa/cppunit/data/wmf/pass/CVE-2006-4071-1.wmf |binary
 svtools/qa/cppunit/data/wmf/pass/CVE-2007-1090-1.wmf |binary
 svtools/qa/cppunit/data/wmf/pass/CVE-2007-1238-1.wmf |binary
 svtools/qa/cppunit/data/wmf/pass/CVE-2007-1245-1.wmf |binary
 svtools/source/filter/wmf/enhwmf.cxx                 |   35 +++++++++++--------
 9 files changed, 21 insertions(+), 14 deletions(-)

New commits:
commit 2b15986b1452f47f93ffc25d2ffcc52d347d5581
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Jul 6 13:41:52 2011 +0100

    handle busted emf lengths

diff --git a/svtools/source/filter/wmf/enhwmf.cxx b/svtools/source/filter/wmf/enhwmf.cxx
index 6ef5053..22cecd2 100644
--- a/svtools/source/filter/wmf/enhwmf.cxx
+++ b/svtools/source/filter/wmf/enhwmf.cxx
@@ -261,22 +261,27 @@ void EnhWMFReader::ReadEMFPlusComment(sal_uInt32 length, sal_Bool& bHaveDC)
     }
     bEMFPlus = true;
 
+    sal_Size pos = pWMF->Tell();
     void *buffer = malloc( length );
-
-    int pos = pWMF->Tell();
     pOut->PassEMFPlus( buffer, pWMF->Read( buffer, length ) );
+    free( buffer );
     pWMF->Seek( pos );
 
     bHaveDC = false;
 
-    length -= 4;
+    OSL_ASSERT(length >= 4);
+    //reduce by 32bit length itself, skip in SeekRel if
+    //impossibly unavailble
+    sal_uInt32 nRemainder = length >= 4 ? length-4 : length;
 
-    while (length > 0) {
-        sal_uInt16 type, flags;
-        sal_uInt32 size, dataSize;
-        sal_uInt32 next;
+    const size_t nRequiredHeaderSize = 12;
+    while (nRemainder > nRequiredHeaderSize)
+    {
+        sal_uInt16 type(0), flags(0);
+        sal_uInt32 size(0), dataSize(0);
 
         *pWMF >> type >> flags >> size >> dataSize;
+        nRemainder -= nRequiredHeaderSize;
 
         EMFP_DEBUG(printf ("\t\tEMF+ record type: %d\n", type));
 
@@ -286,14 +291,16 @@ void EnhWMFReader::ReadEMFPlusComment(sal_uInt32 length, sal_Bool& bHaveDC)
             EMFP_DEBUG(printf ("\t\tEMF+ lock DC (device context)\n", type));
         }
 
-        next = pWMF->Tell() + ( size - 12 );
-
-        length -= size;
-
-        pWMF->Seek( next );
+        //Get the length of the remaining data of this record based
+        //on the alleged size
+        sal_uInt32 nRemainingRecordData = size >= nRequiredHeaderSize ?
+            size-nRequiredHeaderSize : 0;
+        //clip to available size
+        nRemainingRecordData = std::min(nRemainingRecordData, nRemainder);
+        pWMF->SeekRel(nRemainingRecordData);
+        nRemainder -= nRemainingRecordData;
     }
-
-    free( buffer );
+    pWMF->SeekRel(nRemainder);
 }
 
 void EnhWMFReader::ReadGDIComment()
commit 6051ad39b346acc262dc0f89416b114c10cebc6f
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Jul 6 13:17:03 2011 +0100

    add some wmf test-cases

diff --git a/svtools/qa/cppunit/data/wmf/fail/CVE-2005-2124-1.wmf b/svtools/qa/cppunit/data/wmf/fail/CVE-2005-2124-1.wmf
new file mode 100644
index 0000000..5826a98
Binary files /dev/null and b/svtools/qa/cppunit/data/wmf/fail/CVE-2005-2124-1.wmf differ
diff --git a/svtools/qa/cppunit/data/wmf/fail/CVE-2006-0143-1.wmf b/svtools/qa/cppunit/data/wmf/fail/CVE-2006-0143-1.wmf
new file mode 100644
index 0000000..07db62c
Binary files /dev/null and b/svtools/qa/cppunit/data/wmf/fail/CVE-2006-0143-1.wmf differ
diff --git a/svtools/qa/cppunit/data/wmf/fail/CVE-2006-0143-2.wmf b/svtools/qa/cppunit/data/wmf/fail/CVE-2006-0143-2.wmf
new file mode 100644
index 0000000..5b99a48
Binary files /dev/null and b/svtools/qa/cppunit/data/wmf/fail/CVE-2006-0143-2.wmf differ
diff --git a/svtools/qa/cppunit/data/wmf/pass/CVE-2005-2123-1.wmf b/svtools/qa/cppunit/data/wmf/pass/CVE-2005-2123-1.wmf
new file mode 100644
index 0000000..6af243b
Binary files /dev/null and b/svtools/qa/cppunit/data/wmf/pass/CVE-2005-2123-1.wmf differ
diff --git a/svtools/qa/cppunit/data/wmf/pass/CVE-2006-4071-1.wmf b/svtools/qa/cppunit/data/wmf/pass/CVE-2006-4071-1.wmf
new file mode 100644
index 0000000..794a7ef
Binary files /dev/null and b/svtools/qa/cppunit/data/wmf/pass/CVE-2006-4071-1.wmf differ
diff --git a/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1090-1.wmf b/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1090-1.wmf
new file mode 100644
index 0000000..c050fa6
Binary files /dev/null and b/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1090-1.wmf differ
diff --git a/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1238-1.wmf b/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1238-1.wmf
new file mode 100644
index 0000000..a01e310
Binary files /dev/null and b/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1238-1.wmf differ
diff --git a/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1245-1.wmf b/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1245-1.wmf
new file mode 100644
index 0000000..a01e310
Binary files /dev/null and b/svtools/qa/cppunit/data/wmf/pass/CVE-2007-1245-1.wmf differ

More information about the Libreoffice-commits mailing list