[Libreoffice-commits] .: Branch 'libreoffice-3-6-1' - 2 commits - sc/source svtools/source

Petr Mladek pmladek at kemper.freedesktop.org
Wed Aug 15 08:24:54 PDT 2012


 sc/source/filter/excel/xiescher.cxx  |    9 +++-
 svtools/source/filter/wmf/winwmf.cxx |   67 +++++++++++++++++++++++++++++++----
 2 files changed, 68 insertions(+), 8 deletions(-)

New commits:
commit 37fbcf33bd9d4fc538a1a3bb606845455f7c2d04
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Aug 9 09:59:38 2012 +0100

    ensure placeholder substitution on XclImpDrawObjBase::ReadObj8 failure
    
    Change-Id: I7a72153d971aaccea937955acc77cdba128985d7
    Signed-off-by: Michael Stahl <mstahl at redhat.com>
    Signed-off-by: Stephan Bergmann <sbergman at redhat.com>
    Signed-off-by: Petr Mladek <pmladek at suse.cz>

diff --git a/sc/source/filter/excel/xiescher.cxx b/sc/source/filter/excel/xiescher.cxx
index 74ed03b..900d2e6 100644
--- a/sc/source/filter/excel/xiescher.cxx
+++ b/sc/source/filter/excel/xiescher.cxx
@@ -336,7 +336,7 @@ XclImpDrawObjRef XclImpDrawObjBase::ReadObj8( const XclImpRoot& rRoot, XclImpStr
 
     if( rStrm.GetRecLeft() >= 10 )
     {
-        sal_uInt16 nSubRecId, nSubRecSize, nObjType;
+        sal_uInt16 nSubRecId(0), nSubRecSize(0), nObjType(0);
         rStrm >> nSubRecId >> nSubRecSize >> nObjType;
         OSL_ENSURE( nSubRecId == EXC_ID_OBJCMO, "XclImpDrawObjBase::ReadObj8 - OBJCMO subrecord expected" );
         if( (nSubRecId == EXC_ID_OBJCMO) && (nSubRecSize >= 6) )
@@ -379,11 +379,16 @@ XclImpDrawObjRef XclImpDrawObjBase::ReadObj8( const XclImpRoot& rRoot, XclImpStr
                 default:
                     OSL_TRACE( "XclImpDrawObjBase::ReadObj8 - unknown object type 0x%04hX", nObjType );
                     rRoot.GetTracer().TraceUnsupportedObjects();
-                    xDrawObj.reset( new XclImpPhObj( rRoot ) );
             }
         }
     }
 
+    if (!xDrawObj) //ensure placeholder for unknown or broken records
+    {
+        SAL_WARN( "sc", "XclImpDrawObjBase::ReadObj8 import failed, substituting placeholder");
+        xDrawObj.reset( new XclImpPhObj( rRoot ) );
+    }
+
     xDrawObj->mnTab = rRoot.GetCurrScTab();
     xDrawObj->ImplReadObj8( rStrm );
     return xDrawObj;
commit 4d6c1c5b8900dd3b2be9cdfc401f222f0de38bda
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Aug 8 21:39:50 2012 +0100

    validate polypolygon point counts
    
    Change-Id: Ibf6bdf48e5855583f14cd2be36f1e4896a396d32
    Signed-off-by: Michael Stahl <mstahl at redhat.com>
    Signed-off-by: Stephan Bergmann <sbergman at redhat.com>
    Signed-off-by: Petr Mladek <pmladek at suse.cz>

diff --git a/svtools/source/filter/wmf/winwmf.cxx b/svtools/source/filter/wmf/winwmf.cxx
index d9daf2a..a568e3f 100644
--- a/svtools/source/filter/wmf/winwmf.cxx
+++ b/svtools/source/filter/wmf/winwmf.cxx
@@ -28,6 +28,7 @@
 
 
 #include "winmtf.hxx"
+#include <boost/scoped_array.hpp>
 #include <vcl/gdimtf.hxx>
 #include <svtools/wmf.hxx>
 #include <rtl/crc.h>
@@ -354,28 +355,55 @@ void WMFReader::ReadRecordParams( sal_uInt16 nFunc )
 
         case W_META_POLYPOLYGON:
         {
+            bool bRecordOk = true;
             sal_uInt16  nPoly = 0;
             Point*  pPtAry;
             // Number of polygons:
             *pWMF >> nPoly;
             // Number of points of each polygon. Determine total number of points
-            sal_uInt16* pnPoints = new sal_uInt16[ nPoly ];
+            boost::scoped_array<sal_uInt16> xPolygonPointCounts(new sal_uInt16[nPoly]);
+            sal_uInt16* pnPoints = xPolygonPointCounts.get();
             sal_uInt16 nPoints = 0;
             for(sal_uInt16 i = 0; i < nPoly; i++ )
             {
                 *pWMF >> pnPoints[i];
+
+                if (pnPoints[i] > SAL_MAX_UINT16 - nPoints)
+                {
+                    bRecordOk = false;
+                    break;
+                }
+
                 nPoints += pnPoints[i];
             }
+
+            SAL_WARN_IF(!bRecordOk, "svtools", "polypolygon record has more polygons that we can handle");
+
+            bRecordOk &= pWMF->good();
+
+            if (!bRecordOk)
+            {
+                pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                break;
+            }
+
             // Polygon points are:
-            pPtAry  = new Point[nPoints];
+            boost::scoped_array<Point> xPolygonPoints(new Point[nPoints]);
+            pPtAry = xPolygonPoints.get();
             for (sal_uInt16 i = 0; i < nPoints; i++ )
                 pPtAry[ i ] = ReadPoint();
 
+            bRecordOk &= pWMF->good();
+
+            if (!bRecordOk)
+            {
+                pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                break;
+            }
+
             // Produce PolyPolygon Actions
             PolyPolygon aPolyPoly( nPoly, pnPoints, pPtAry );
             pOut->DrawPolyPolygon( aPolyPoly );
-            delete[] pPtAry;
-            delete[] pnPoints;
         }
         break;
 
@@ -1333,16 +1361,43 @@ sal_Bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pSt
 
                 case W_META_POLYPOLYGON:
                 {
+                    bool bRecordOk = true;
                     sal_uInt16 nPoly, nPoints = 0;
                     *pStm >> nPoly;
                     for(sal_uInt16 i = 0; i < nPoly; i++ )
                     {
-                        sal_uInt16 nP;
+                        sal_uInt16 nP = 0;
                         *pStm >> nP;
-                        nPoints = nPoints + nP;
+                        if (nP > SAL_MAX_UINT16 - nPoints)
+                        {
+                            bRecordOk = false;
+                            break;
+                        }
+                        nPoints += nP;
                     }
+
+                    SAL_WARN_IF(!bRecordOk, "svtools", "polypolygon record has more polygons that we can handle");
+
+                    bRecordOk &= pStm->good();
+
+                    if (!bRecordOk)
+                    {
+                        pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                        bRet = sal_False;
+                        break;
+                    }
+
                     for (sal_uInt16 i = 0; i < nPoints; i++ )
                         GetWinExtMax( ReadPoint(), rPlaceableBound, nMapMode );
+
+                    bRecordOk &= pStm->good();
+
+                    if (!bRecordOk)
+                    {
+                        pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                        bRet = sal_False;
+                        break;
+                    }
                 }
                 break;
 


More information about the Libreoffice-commits mailing list