[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - vcl/qa vcl/source
Caolán McNamara
caolanm at redhat.com
Fri Jul 10 01:55:14 PDT 2015
vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf |binary
vcl/source/filter/wmf/winwmf.cxx | 10 +++++++---
2 files changed, 7 insertions(+), 3 deletions(-)
New commits:
commit 55486cf648813bc0c46eaf0df2f0544a5d57ccb2
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Jul 10 08:40:42 2015 +0100
avoid endless loop with busted wmf
Change-Id: I104de360f2e861e959ad2dad434a768440877f6f
(cherry picked from commit fd2749455fe25e24b448a44f9ada6113e5ac0d13)
Reviewed-on: https://gerrit.libreoffice.org/16914
Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
Tested-by: Michael Meeks <michael.meeks at collabora.com>
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf
new file mode 100644
index 0000000..7ba05cb
Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf differ
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index c7d1315..5e25949 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -1394,9 +1394,13 @@ void WMFReader::ReadWMF()
}
}
}
- nPos += nRecSize * 2;
- if ( nPos <= nEndPos )
- pWMF->Seek( nPos );
+ const sal_uInt32 nAvailableBytes = nEndPos - nPos;
+ const sal_uInt32 nMaxPossibleRecordSize = nAvailableBytes/2;
+ if (nRecSize <= nMaxPossibleRecordSize)
+ {
+ nPos += nRecSize * 2;
+ pWMF->Seek(nPos);
+ }
else
pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
}
More information about the Libreoffice-commits
mailing list