[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - vcl/qa vcl/source
Caolán McNamara
caolanm at redhat.com
Wed Aug 12 23:18:37 PDT 2015
vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf |binary
vcl/source/filter/wmf/enhwmf.cxx | 7 ++++---
2 files changed, 4 insertions(+), 3 deletions(-)
New commits:
commit dfba79d2c2e332fca82ac5a236ee74b90892c62f
Author: Caolán McNamara <caolanm at redhat.com>
Date: Wed Aug 12 16:30:21 2015 +0100
another avoid endless loop with busted wmf
Change-Id: Ie4068fdc1e54e0ad3e55354938a4c5e1459e7fe0
(cherry picked from commit 7ffe6aebb44ed3f7b5fd1ffe3ccfccf0f61984b3)
Reviewed-on: https://gerrit.libreoffice.org/17683
Reviewed-by: David Tardon <dtardon at redhat.com>
Tested-by: David Tardon <dtardon at redhat.com>
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf
new file mode 100644
index 0000000..f8f1538
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf differ
diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx
index 63e4104..8e19bc2 100644
--- a/vcl/source/filter/wmf/enhwmf.cxx
+++ b/vcl/source/filter/wmf/enhwmf.cxx
@@ -637,14 +637,15 @@ bool EnhWMFReader::ReadEnhWMF()
break;
}
- nNextPos = pWMF->Tell() + ( nRecSize - 8 );
-
- if ( !pWMF->good() || nNextPos > nEndPos )
+ const sal_uInt32 nMaxPossibleRecSize = nEndPos - pWMF->Tell() + 8;
+ if (nRecSize > nMaxPossibleRecSize)
{
bStatus = false;
break;
}
+ nNextPos = pWMF->Tell() + ( nRecSize - 8 );
+
if( !aBmpSaveList.empty()
&& ( nRecType != EMR_STRETCHBLT )
&& ( nRecType != EMR_STRETCHDIBITS )
More information about the Libreoffice-commits
mailing list