[Libreoffice-commits] core.git: filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/met/fail/hang-2.met      |binary
 filter/source/graphicfilter/ios2met/ios2met.cxx |   29 +++++++++++++++++++-----
 2 files changed, 23 insertions(+), 6 deletions(-)

New commits:
commit 89857aacac98f0f8e5dca4718affec493951f904
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Jul 15 12:59:55 2015 +0100

    tools polygons limited to 16bit indexes
    
    Change-Id: Ib0f727a3681492c15b807ca159d8bf7675ee8f29

diff --git a/filter/qa/cppunit/data/met/fail/hang-2.met b/filter/qa/cppunit/data/met/fail/hang-2.met
new file mode 100644
index 0000000..84b432e
Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/hang-2.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx
index f152963..f59567b 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -1172,18 +1172,35 @@ void OS2METReader::ReadPartialArc(bool bGivenPos, sal_uInt16 nOrderSize)
 
 void OS2METReader::ReadPolygons()
 {
-    sal_uInt32 i,j,nNumPolys, nNumPoints;
     tools::PolyPolygon aPolyPoly;
     Polygon aPoly;
     Point aPoint;
-    sal_uInt8 nFlags;
 
-    pOS2MET->ReadUChar( nFlags ).ReadUInt32( nNumPolys );
-    for (i=0; i<nNumPolys; i++) {
-        pOS2MET->ReadUInt32( nNumPoints );
+    sal_uInt8 nFlags(0);
+    sal_uInt32 nNumPolys(0);
+    pOS2MET->ReadUChar(nFlags).ReadUInt32(nNumPolys);
+
+    if (nNumPolys > SAL_MAX_UINT16)
+    {
+        pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+        ErrorCode=11;
+        return;
+    }
+
+    for (sal_uInt32 i=0; i<nNumPolys; ++i)
+    {
+        sal_uInt32 nNumPoints(0);
+        pOS2MET->ReadUInt32(nNumPoints);
+        if (nNumPoints > (i == 0) ? SAL_MAX_UINT16-1 : SAL_MAX_UINT16)
+        {
+            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+            ErrorCode=11;
+            return;
+        }
         if (i==0) nNumPoints++;
         aPoly.SetSize((short)nNumPoints);
-        for (j=0; j<nNumPoints; j++) {
+        for (sal_uInt32 j=0; j<nNumPoints; ++j)
+        {
             if (i==0 && j==0) aPoint=aAttr.aCurPos;
             else aPoint=ReadPoint();
             aPoly.SetPoint(aPoint,(short)j);