[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - filter/qa filter/source
Caolán McNamara
caolanm at redhat.com
Thu Jul 16 02:16:09 PDT 2015
filter/qa/cppunit/data/met/pass/hang-2.met |binary
filter/source/graphicfilter/ios2met/ios2met.cxx | 33 ++++++++++++++++++------
2 files changed, 26 insertions(+), 7 deletions(-)
New commits:
commit fdc0b506538560e13127a44a7de817412c13035b
Author: Caolán McNamara <caolanm at redhat.com>
Date: Wed Jul 15 12:59:55 2015 +0100
tools polygons limited to 16bit indexes
Change-Id: Ib0f727a3681492c15b807ca159d8bf7675ee8f29
(cherry picked from commit 89857aacac98f0f8e5dca4718affec493951f904)
WaE: C2220
Change-Id: Ibf9fa7ffc3beb237a470952c265fb1bce313a08a
(cherry picked from commit 8547c336b3253d90daae1c79a2b1a57996a39102)
Reviewed-on: https://gerrit.libreoffice.org/17091
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
diff --git a/filter/qa/cppunit/data/met/pass/hang-2.met b/filter/qa/cppunit/data/met/pass/hang-2.met
new file mode 100644
index 0000000..84b432e
Binary files /dev/null and b/filter/qa/cppunit/data/met/pass/hang-2.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 0553d1f..2ff00f6 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -1173,18 +1173,37 @@ void OS2METReader::ReadPartialArc(bool bGivenPos, sal_uInt16 nOrderSize)
void OS2METReader::ReadPolygons()
{
- sal_uInt32 i,j,nNumPolys, nNumPoints;
tools::PolyPolygon aPolyPoly;
Polygon aPoly;
Point aPoint;
- sal_uInt8 nFlags;
- pOS2MET->ReadUChar( nFlags ).ReadUInt32( nNumPolys );
- for (i=0; i<nNumPolys; i++) {
- pOS2MET->ReadUInt32( nNumPoints );
- if (i==0) nNumPoints++;
+ sal_uInt8 nFlags(0);
+ sal_uInt32 nNumPolys(0);
+ pOS2MET->ReadUChar(nFlags).ReadUInt32(nNumPolys);
+
+ if (nNumPolys > SAL_MAX_UINT16)
+ {
+ pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+ ErrorCode=11;
+ return;
+ }
+
+ for (sal_uInt32 i=0; i<nNumPolys; ++i)
+ {
+ sal_uInt32 nNumPoints(0);
+ pOS2MET->ReadUInt32(nNumPoints);
+ sal_uInt32 nLimit = SAL_MAX_UINT16;
+ if (i==0) --nLimit;
+ if (nNumPoints > nLimit)
+ {
+ pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+ ErrorCode=11;
+ return;
+ }
+ if (i==0) ++nNumPoints;
aPoly.SetSize((short)nNumPoints);
- for (j=0; j<nNumPoints; j++) {
+ for (sal_uInt32 j=0; j<nNumPoints; ++j)
+ {
if (i==0 && j==0) aPoint=aAttr.aCurPos;
else aPoint=ReadPoint();
aPoly.SetPoint(aPoint,(short)j);
More information about the Libreoffice-commits
mailing list