[Libreoffice-commits] libvisio.git: 2 commits - src/lib

Tue Aug 25 07:53:33 PDT 2015

src/lib/VSDMetaData.cpp  |    5 +++++
 src/lib/VSDParser.cpp    |   12 ++++++++----
 src/lib/libvisio_utils.h |    3 +++
 3 files changed, 16 insertions(+), 4 deletions(-)

New commits:
commit 4b03893826bcc5f859b0ac3bea6a98269499d99f
Author: David Tardon <dtardon at redhat.com>
Date:   Tue Aug 25 16:27:18 2015 +0200

    sanitize page dimensions and scale
    
    Change-Id: Ie170d9911b9f7349e4700efd5e2c089423f4218b

diff --git a/src/lib/VSDParser.cpp b/src/lib/VSDParser.cpp
index 827ed48..3074784 100644
--- a/src/lib/VSDParser.cpp
+++ b/src/lib/VSDParser.cpp
@@ -1102,17 +1102,21 @@ void libvisio::VSDParser::readPageProps(librevenge::RVNGInputStream *input)
 {
   // Skip bytes representing unit to *display* (value is always inches)
   input->seek(1, librevenge::RVNG_SEEK_CUR);
-  double pageWidth = readDouble(input);
+  const double pageWidth = std::max<double>(readDouble(input), 0);
   input->seek(1, librevenge::RVNG_SEEK_CUR);
-  double pageHeight = readDouble(input);
+  const double pageHeight = std::max<double>(readDouble(input), 0);
   input->seek(1, librevenge::RVNG_SEEK_CUR);
   m_shadowOffsetX = readDouble(input);
   input->seek(1, librevenge::RVNG_SEEK_CUR);
   m_shadowOffsetY = readDouble(input);
   input->seek(1, librevenge::RVNG_SEEK_CUR);
-  double scale = readDouble(input);
+  const double numerator = readDouble(input);
   input->seek(1, librevenge::RVNG_SEEK_CUR);
-  scale /= readDouble(input);
+  double denominator = readDouble(input);
+  if (VSD_ALMOST_ZERO(denominator))
+    denominator = 1;
+
+  const double scale = std::abs(numerator / denominator);
 
   if (m_isStencilStarted && m_currentStencil)
   {
diff --git a/src/lib/libvisio_utils.h b/src/lib/libvisio_utils.h
index 0ff3a16..c6c3a03 100644
--- a/src/lib/libvisio_utils.h
+++ b/src/lib/libvisio_utils.h
@@ -14,6 +14,9 @@
 
 #include "VSDTypes.h"
 
+#define VSD_EPSILON 1E-6
+#define VSD_ALMOST_ZERO(m) (fabs(m) <= VSD_EPSILON)
+
 #ifdef _MSC_VER
 
 typedef unsigned char uint8_t;
commit 4700056698abce223b3da120d58019c4626b5e57
Author: David Tardon <dtardon at redhat.com>
Date:   Tue Aug 25 16:12:25 2015 +0200

    afl: avoid out of bounds access to vector
    
    Change-Id: I51fdad6cca395bb5aadc916ef452ee020f666607

diff --git a/src/lib/VSDMetaData.cpp b/src/lib/VSDMetaData.cpp
index 00dca07..7241b00 100644
--- a/src/lib/VSDMetaData.cpp
+++ b/src/lib/VSDMetaData.cpp
@@ -8,6 +8,7 @@
  */
 
 #include "VSDMetaData.h"
+#include <cassert>
 #include <cmath>
 #include <cstdio>
 #include <cstring>
@@ -238,6 +239,9 @@ librevenge::RVNGString libvisio::VSDMetaData::readCodePageString(librevenge::RVN
 {
   uint32_t size = readU32(input);
 
+  if (size == 0)
+    return librevenge::RVNGString();
+
   std::vector<unsigned char> characters;
   for (uint32_t i = 0; i < size; ++i)
     characters.push_back(readU8(input));
@@ -267,6 +271,7 @@ librevenge::RVNGString libvisio::VSDMetaData::readCodePageString(librevenge::RVN
 
     if (U_SUCCESS(status) && conv)
     {
+      assert(!characters.empty());
       const char *src = (const char *)&characters[0];
       const char *srcLimit = (const char *)src + characters.size();
       while (src < srcLimit)
