[Libreoffice-commits] core.git: filter/source

Sun Apr 2 15:51:28 UTC 2017

filter/source/graphicfilter/icgm/class1.cxx |    4 ++++
 1 file changed, 4 insertions(+)

New commits:
commit fb41ebff32371ee7a7e07f671f7c769a8bb18718
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Sun Apr 2 16:50:38 2017 +0100

    ofz: more check bounds on read
    
    Change-Id: I70018ee2ab282c11547f5bf9d81b2ee74c74aa04

diff --git a/filter/source/graphicfilter/icgm/class1.cxx b/filter/source/graphicfilter/icgm/class1.cxx
index 0d297bbe0a10..895dd8247d0b 100644
--- a/filter/source/graphicfilter/icgm/class1.cxx
+++ b/filter/source/graphicfilter/icgm/class1.cxx
@@ -192,6 +192,10 @@ void CGM::ImplDoClass1()
             {
                 sal_uInt32 nCharSetType = ImplGetUI16();
                 sal_uInt32 nSize = ImplGetUI(1);
+
+                if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+                    throw css::uno::Exception("attempt to read past end of input", nullptr);
+
                 pElement->aFontList.InsertCharSet( (CharSetType)nCharSetType, mpSource + mnParaSize, nSize );
                 mnParaSize += nSize;
             }
