[Libreoffice-commits] core.git: Branch 'libreoffice-5-0-0' - filter/source

Caolán McNamara caolanm at redhat.com
Mon Jul 20 04:37:34 PDT 2015


 filter/source/msfilter/msdffimp.cxx |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

New commits:
commit 5a6e55601f0eaae1bf9f006da3f19d1c8282e7db
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Jul 16 14:53:37 2015 +0100

    Resolves: tdf#92772 missing shape bg color
    
    regression from dcad3ac445980740b6a39761cdd1f1bd0b3e6e34
    
        coverity#1242624 Untrusted loop bound
    
        Change-Id: Idf52c09828c2bab767e9ff0d07b61befd6bfc64b
    
    The original code read 8 bytes on the nElemSizeVert == 8
    branch and always 4 otherwise. I assumed that nElemSizeVert had
    to be read as 4 on that branch, but apparently not. So if its
    not 4, set it to 4 and we get the same behaviour as originally
    and continue to ensure we bounds check the loop
    
    Change-Id: Ica8ab7cc3bbebee93216766a2e1279a579494840
    (cherry picked from commit b3cd47bd562f98ec5fcff1a9d7609353506b5083)
    Reviewed-on: https://gerrit.libreoffice.org/17135
    Reviewed-by: David Tardon <dtardon at redhat.com>
    Tested-by: David Tardon <dtardon at redhat.com>
    Reviewed-by: Tomaž Vajngerl <quikee at gmail.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx
index 9e88ceb..ba0aae0 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -2154,12 +2154,10 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt
                 sal_uInt16 nNumElemMemVert = 0;
                 rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert );
             }
-            bool bImport = false;
-            if (nElemSizeVert == 8 || nElemSizeVert == 4)
-            {
-                //sanity check that the stream is long enough to fulfill nNumElem * nElemSize;
-                bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert;
-            }
+            if (nElemSizeVert != 8)
+                nElemSizeVert = 4;
+            //sanity check that the stream is long enough to fulfill nNumElem * nElemSize;
+            bool bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert;
             if (bImport)
             {
                 aCoordinates.realloc( nNumElemVert );


More information about the Libreoffice-commits mailing list