[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/qa filter/source

Caolán McNamara caolanm at redhat.com
Thu Jul 16 02:15:12 PDT 2015 

 filter/qa/cppunit/data/met/pass/hang-2.met      |binary
 filter/source/graphicfilter/ios2met/ios2met.cxx |   33 ++++++++++++++++++------
 2 files changed, 26 insertions(+), 7 deletions(-)

New commits:
commit 62d88405e4c9fc3dfc6ea960f9b5f9c594e8bcf8
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Jul 15 12:59:55 2015 +0100

    tools polygons limited to 16bit indexes
    
    (cherry picked from commit 89857aacac98f0f8e5dca4718affec493951f904)
    
    WaE: C2220
    
    (cherry picked from commit 8547c336b3253d90daae1c79a2b1a57996a39102)
    
    Change-Id: Ib0f727a3681492c15b807ca159d8bf7675ee8f29
    Reviewed-on: https://gerrit.libreoffice.org/17089
    Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
    Tested-by: Michael Meeks <michael.meeks at collabora.com>

diff --git a/filter/qa/cppunit/data/met/pass/hang-2.met b/filter/qa/cppunit/data/met/pass/hang-2.met
new file mode 100644
index 0000000..84b432e
Binary files /dev/null and b/filter/qa/cppunit/data/met/pass/hang-2.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 946d68f..ce19c4d 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -1191,18 +1191,37 @@ void OS2METReader::ReadPartialArc(bool bGivenPos, sal_uInt16 nOrderSize)
 
 void OS2METReader::ReadPolygons()
 {
-    sal_uInt32 i,j,nNumPolys, nNumPoints;
     tools::PolyPolygon aPolyPoly;
     Polygon aPoly;
     Point aPoint;
-    sal_uInt8 nFlags;
 
-    pOS2MET->ReadUChar( nFlags ).ReadUInt32( nNumPolys );
-    for (i=0; i<nNumPolys; i++) {
-        pOS2MET->ReadUInt32( nNumPoints );
-        if (i==0) nNumPoints++;
+    sal_uInt8 nFlags(0);
+    sal_uInt32 nNumPolys(0);
+    pOS2MET->ReadUChar(nFlags).ReadUInt32(nNumPolys);
+
+    if (nNumPolys > SAL_MAX_UINT16)
+    {
+        pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+        ErrorCode=11;
+        return;
+    }
+
+    for (sal_uInt32 i=0; i<nNumPolys; ++i)
+    {
+        sal_uInt32 nNumPoints(0);
+        pOS2MET->ReadUInt32(nNumPoints);
+        sal_uInt32 nLimit = SAL_MAX_UINT16;
+        if (i==0) --nLimit;
+        if (nNumPoints > nLimit)
+        {
+            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+            ErrorCode=11;
+            return;
+        }
+        if (i==0) ++nNumPoints;
         aPoly.SetSize((short)nNumPoints);
-        for (j=0; j<nNumPoints; j++) {
+        for (sal_uInt32 j=0; j<nNumPoints; ++j)
+        {
             if (i==0 && j==0) aPoint=aAttr.aCurPos;
             else aPoint=ReadPoint();
             aPoly.SetPoint(aPoint,(short)j);

More information about the Libreoffice-commits mailing list