[Libreoffice-commits] core.git: vcl/qa vcl/source

Stephan Bergmann sbergman at redhat.com
Thu Jun 5 08:37:44 PDT 2014 

 dev/null                                                       |binary
 vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1238-1.wmf |binary
 vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1245-1.wmf |binary
 vcl/source/filter/wmf/winwmf.cxx                               |   18 ++++++----
 4 files changed, 12 insertions(+), 6 deletions(-)

New commits:
commit 90f0af7a9cabcfe9006608b3444a54ef6ff340f5
Author: Stephan Bergmann <sbergman at redhat.com>
Date:   Thu Jun 5 17:36:52 2014 +0200

    WMF record size < 3 is clearly broken
    
    ...so we should not attempt to (mis-)interpret such broken input.
    
    Change-Id: I97f4f46fdfc0dfe6f9aff42917d23634b844c7f0

diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1238-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1238-1.wmf
similarity index 100%
rename from vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1238-1.wmf
rename to vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1238-1.wmf
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1245-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1245-1.wmf
similarity index 100%
rename from vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1245-1.wmf
rename to vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1245-1.wmf
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index 4c2c95c..8079263 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -1377,13 +1377,19 @@ bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pStm )
         {
             pStm->ReadUInt32( nRSize ).ReadUInt16( nFunction );
 
-            if( pStm->GetError() || ( nRSize < 3 ) || ( nRSize==3 && nFunction==0 ) || pStm->IsEof() )
+            if( pStm->GetError() )
             {
-                if( pStm->IsEof() )
-                {
-                    pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
-                    bRet = false;
-                }
+                bRet = false;
+                break;
+            }
+            else if ( nRSize==3 && nFunction==0 )
+            {
+                break;
+            }
+            else if ( nRSize < 3 || pStm->IsEof() )
+            {
+                pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                bRet = false;
                 break;
             }
             switch( nFunction )

More information about the Libreoffice-commits mailing list