[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/qa filter/source

[Caolán McNamara]

 filter/qa/cppunit/data/met/fail/hang-2.met      |binary
 filter/source/graphicfilter/ios2met/ios2met.cxx |   25 ++++++++++++++++++------
 2 files changed, 19 insertions(+), 6 deletions(-)

New commits:
commit 8c9e9895648fd9315067c17d1aeee182c99d3f21
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Aug 31 11:11:27 2015 +0100

    check for legal field sizes before reading
    
    Change-Id: I3cdb647e1a057be5bb4b32d119ee5bcbbedf7473
    (cherry picked from commit ad6d83defb33c414885ce6d4bfa85571d463f3c3)
    Reviewed-on: https://gerrit.libreoffice.org/18170
    Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
    Tested-by: Miklos Vajna <vmiklos at collabora.co.uk>

diff --git a/filter/qa/cppunit/data/met/fail/hang-2.met b/filter/qa/cppunit/data/met/fail/hang-2.met
new file mode 100644
index 0000000..e807d58
Binary files /dev/null and b/filter/qa/cppunit/data/met/fail/hang-2.met differ
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx
index ce19c4d..4a4b0d5 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -2679,21 +2679,34 @@ void OS2METReader::ReadOS2MET( SvStream & rStreamOS2MET, GDIMetaFile & rGDIMetaF
         pOS2MET->ReadUInt16(nFieldType);
 
         pOS2MET->SeekRel(3);
-        nPos+=8; nFieldSize-=8;
 
-        if (pOS2MET->GetError()) break;
-        if (pOS2MET->IsEof()) {
+        if (pOS2MET->GetError())
+            break;
+
+        if (nFieldType==EndDocumnMagic)
+            break;
+
+        if (pOS2MET->IsEof() || nFieldSize < 8)
+        {
             pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
             ErrorCode=8;
             break;
         }
 
-        if (nFieldType==EndDocumnMagic) break;
+        nPos+=8; nFieldSize-=8;
+
+        if (nFieldSize > pOS2MET->remainingSize())
+        {
+            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+            ErrorCode=8;
+            break;
+        }
 
         ReadField(nFieldType, nFieldSize);
+        nPos += nFieldSize;
 
-        nPos+=(sal_uLong)nFieldSize;
-        if (pOS2MET->Tell()>nPos)  {
+        if (pOS2MET->Tell() > nPos)
+        {
             pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
             ErrorCode=9;
             break;