[Libreoffice-commits] libcdr.git: 2 commits - src/lib

[David Tardon]

 src/lib/CDRParser.cpp |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

New commits:
commit b6da4cf3b1146170e72c536849d7288376fbd410
Author: David Tardon <dtardon at redhat.com>
Date:   Fri Dec 25 19:46:50 2015 +0100

    coverity#1219668 untrusted loop bound
    
    Change-Id: If827834918cd2bd54ead2947b0e0cc68a8299983

diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 4f32b3d..aa0baa8 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2734,7 +2734,7 @@ void libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
         input->seek(12 * static_cast<long>(numSet11s), librevenge::RVNG_SEEK_CUR);
       }
       std::map<unsigned, CDRStltRecord> styles;
-      for (i=0; i<numRecords; ++i)
+      for (i=0; i<numRecords && getRemainingLength(input) >= 32; ++i)
       {
         CDR_DEBUG_MSG(("CDRParser::readStlt parsing styles\n"));
         unsigned num = readU32(input);
commit d3c79d44d07776eac7c2ae93448806e7533d4029
Author: David Tardon <dtardon at redhat.com>
Date:   Fri Dec 25 19:44:59 2015 +0100

    coverity#1219668 untrusted loop bound
    
    Change-Id: I75eb0259dfe86998d9447987540cabc53ca79cd1

diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index 2351925..4f32b3d 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2608,6 +2608,9 @@ void libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
     if (!numRecords)
       return;
     unsigned numFills = readU32(input);
+    const unsigned fillSize = 3 * 4 + (m_version >= 1300 ? 48 : 0);
+    if (numFills > getRemainingLength(input) / fillSize)
+      numFills = getRemainingLength(input) / fillSize;
     CDR_DEBUG_MSG(("CDRParser::readStlt numFills 0x%x\n", numFills));
     unsigned i = 0;
     std::map<unsigned, unsigned> fillIds;
@@ -2620,6 +2623,8 @@ void libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
         input->seek(48, librevenge::RVNG_SEEK_CUR);
     }
     unsigned numOutls = readU32(input);
+    if (numOutls > getRemainingLength(input) / 12)
+      numOutls = getRemainingLength(input) / 12;
     CDR_DEBUG_MSG(("CDRParser::readStlt numOutls 0x%x\n", numOutls));
     std::map<unsigned, unsigned> outlIds;
     for (i=0; i<numOutls; ++i)
@@ -2629,6 +2634,9 @@ void libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
       outlIds[outlId] = readU32(input);
     }
     unsigned numFonts = readU32(input);
+    const unsigned fontsSize = 4 + 2 * 2 + 8 + (m_precision == PRECISION_16BIT ? 2 : 4) + 2 * (m_version < 1000 ? 12 : 20);
+    if (numFonts > getRemainingLength(input) / fontsSize)
+      numFonts = getRemainingLength(input) / fontsSize;
     CDR_DEBUG_MSG(("CDRParser::readStlt numFonts 0x%x\n", numFonts));
     std::map<unsigned,unsigned short> fontIds, fontEncodings;
     std::map<unsigned,double> fontSizes;
@@ -2649,6 +2657,8 @@ void libcdr::CDRParser::readStlt(librevenge::RVNGInputStream *input, unsigned le
         input->seek(20, librevenge::RVNG_SEEK_CUR);
     }
     unsigned numAligns = readU32(input);
+    if (numAligns > getRemainingLength(input) / 12)
+      numAligns = getRemainingLength(input) / 12;
     std::map<unsigned,unsigned> aligns;
     CDR_DEBUG_MSG(("CDRParser::readStlt numAligns 0x%x\n", numAligns));
     for (i=0; i<numAligns; ++i)