[Libreoffice-commits] core.git: Branch 'libreoffice-5-2' - filter/source
Caolán McNamara
caolanm at redhat.com
Tue Apr 4 13:50:54 UTC 2017
filter/source/graphicfilter/icgm/cgm.cxx | 8 ++++----
filter/source/graphicfilter/icgm/class1.cxx | 17 +++++++++++------
filter/source/graphicfilter/icgm/class4.cxx | 25 ++++++++++++++++---------
3 files changed, 31 insertions(+), 19 deletions(-)
New commits:
commit bfb4717cb03eda40b9550ea2f8ab8ca7949f1e37
Author: Caolán McNamara <caolanm at redhat.com>
Date: Sun Apr 2 11:31:10 2017 +0100
ofz: check bounds on read
Change-Id: I07779bec876b90e36f20a81d6dbf06ae727edf85
(cherry picked from commit fb05611064e12c8eda09bc32c42544cde8c2ab49)
Reviewed-on: https://gerrit.libreoffice.org/36019
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
diff --git a/filter/source/graphicfilter/icgm/cgm.cxx b/filter/source/graphicfilter/icgm/cgm.cxx
index 30804b06845f..d15923084ccc 100644
--- a/filter/source/graphicfilter/icgm/cgm.cxx
+++ b/filter/source/graphicfilter/icgm/cgm.cxx
@@ -101,7 +101,7 @@ sal_uInt32 CGM::GetBackGroundColor()
sal_uInt32 CGM::ImplGetUI16( sal_uInt32 /*nAlign*/ )
{
sal_uInt8* pSource = mpSource + mnParaSize;
- if (pSource + 2 > mpEndValidSource)
+ if (mpEndValidSource - pSource < 2)
throw css::uno::Exception("attempt to read past end of input", nullptr);
mnParaSize += 2;
return ( pSource[ 0 ] << 8 ) + pSource[ 1 ];
@@ -115,7 +115,7 @@ sal_uInt8 CGM::ImplGetByte( sal_uInt32 nSource, sal_uInt32 nPrecision )
sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision )
{
sal_uInt8* pSource = mpSource + mnParaSize;
- if (pSource + nPrecision > mpEndValidSource)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - pSource) < nPrecision)
throw css::uno::Exception("attempt to read past end of input", nullptr);
mnParaSize += nPrecision;
switch( nPrecision )
@@ -147,7 +147,7 @@ sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision )
sal_uInt32 CGM::ImplGetUI( sal_uInt32 nPrecision )
{
sal_uInt8* pSource = mpSource + mnParaSize;
- if (pSource + nPrecision > mpEndValidSource)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - pSource) < nPrecision)
throw css::uno::Exception("attempt to read past end of input", nullptr);
mnParaSize += nPrecision;
switch( nPrecision )
@@ -202,7 +202,7 @@ double CGM::ImplGetFloat( RealPrecision eRealPrecision, sal_uInt32 nRealSize )
const bool bCompatible = false;
#endif
- if (mpSource + mnParaSize + nRealSize > mpEndValidSource)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nRealSize)
throw css::uno::Exception("attempt to read past end of input", nullptr);
if ( bCompatible )
diff --git a/filter/source/graphicfilter/icgm/class1.cxx b/filter/source/graphicfilter/icgm/class1.cxx
index 641355924f74..895dd8247d0b 100644
--- a/filter/source/graphicfilter/icgm/class1.cxx
+++ b/filter/source/graphicfilter/icgm/class1.cxx
@@ -176,8 +176,11 @@ void CGM::ImplDoClass1()
{
while ( mnParaSize < mnElementSize )
{
- sal_uInt32 nSize;
- nSize = ImplGetUI( 1 );
+ sal_uInt32 nSize = ImplGetUI(1);
+
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+ throw css::uno::Exception("attempt to read past end of input", nullptr);
+
pElement->aFontList.InsertName( mpSource + mnParaSize, nSize );
mnParaSize += nSize;
}
@@ -187,10 +190,12 @@ void CGM::ImplDoClass1()
{
while ( mnParaSize < mnElementSize )
{
- sal_uInt32 nCharSetType;
- sal_uInt32 nSize;
- nCharSetType = ImplGetUI16();
- nSize = ImplGetUI( 1 );
+ sal_uInt32 nCharSetType = ImplGetUI16();
+ sal_uInt32 nSize = ImplGetUI(1);
+
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+ throw css::uno::Exception("attempt to read past end of input", nullptr);
+
pElement->aFontList.InsertCharSet( (CharSetType)nCharSetType, mpSource + mnParaSize, nSize );
mnParaSize += nSize;
}
diff --git a/filter/source/graphicfilter/icgm/class4.cxx b/filter/source/graphicfilter/icgm/class4.cxx
index 442f10dc087d..ff574c4eece4 100644
--- a/filter/source/graphicfilter/icgm/class4.cxx
+++ b/filter/source/graphicfilter/icgm/class4.cxx
@@ -178,15 +178,18 @@ void CGM::ImplDoClass4()
case 0x04 : /*Text*/
{
FloatPoint aFloatPoint;
- sal_uInt32 nType, nSize;
if ( mbFigure )
mpOutAct->CloseRegion();
ImplGetPoint ( aFloatPoint, true );
- nType = ImplGetUI16( 4 );
- nSize = ImplGetUI( 1 );
- mpSource[ mnParaSize + nSize ] = 0;
+ sal_uInt32 nType = ImplGetUI16( 4 );
+ sal_uInt32 nSize = ImplGetUI( 1 );
+
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+ throw css::uno::Exception("attempt to read past end of input", nullptr);
+
+ mpSource[mnParaSize + nSize] = 0;
awt::Size aSize;
awt::Point aPoint( (long)aFloatPoint.X, (long)aFloatPoint.Y );
@@ -200,7 +203,6 @@ void CGM::ImplDoClass4()
{
double dx, dy;
FloatPoint aFloatPoint;
- sal_uInt32 nType, nSize;
if ( mbFigure )
mpOutAct->CloseRegion();
@@ -219,8 +221,11 @@ void CGM::ImplDoClass4()
ImplMapDouble( dy );
ImplGetPoint ( aFloatPoint, true );
- nType = ImplGetUI16( 4 );
- nSize = ImplGetUI( 1 );
+ sal_uInt32 nType = ImplGetUI16(4);
+ sal_uInt32 nSize = ImplGetUI(1);
+
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+ throw css::uno::Exception("attempt to read past end of input", nullptr);
mpSource[ mnParaSize + nSize ] = 0;
@@ -234,10 +239,12 @@ void CGM::ImplDoClass4()
case 0x06 : /*Append Text*/
{
- sal_uInt32 nSize;
sal_uInt32 nType = ImplGetUI16( 4 );
+ sal_uInt32 nSize = ImplGetUI( 1 );
+
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+ throw css::uno::Exception("attempt to read past end of input", nullptr);
- nSize = ImplGetUI( 1 );
mpSource[ mnParaSize + nSize ] = 0;
mpOutAct->AppendText( reinterpret_cast<char*>(mpSource) + mnParaSize, nSize, (FinalFlag)nType );
More information about the Libreoffice-commits
mailing list