[Libreoffice-commits] libcdr.git: src/lib
David Tardon
dtardon at redhat.com
Tue Apr 4 17:27:49 UTC 2017
src/lib/CMXParser.cpp | 9 +++++++++
1 file changed, 9 insertions(+)
New commits:
commit 263b1707ba5506fe9b162404b84b8e6c7b8d6ef5
Author: David Tardon <dtardon at redhat.com>
Date: Tue Apr 4 19:27:23 2017 +0200
ofz: avoid inf. loop if inst. size is 0
Change-Id: I688a580878227adcf267bca02b22a0b2e2434f36
diff --git a/src/lib/CMXParser.cpp b/src/lib/CMXParser.cpp
index f74c10e..23175e9 100644
--- a/src/lib/CMXParser.cpp
+++ b/src/lib/CMXParser.cpp
@@ -402,8 +402,17 @@ void libcdr::CMXParser::readCommands(librevenge::RVNGInputStream *input, unsigne
{
long startPosition = input->tell();
int instructionSize = readS16(input, m_bigEndian);
+ int minInstructionSize = 4;
if (instructionSize < 0)
+ {
instructionSize = readS32(input, m_bigEndian);
+ minInstructionSize += 4;
+ }
+ if (instructionSize < minInstructionSize)
+ {
+ CDR_DEBUG_MSG(("CMXParser::readCommands - invalid instructionSize %i\n", instructionSize));
+ instructionSize = minInstructionSize;
+ }
m_nextInstructionOffset = startPosition+instructionSize;
short instructionCode = abs(readS16(input, m_bigEndian));
CDR_DEBUG_MSG(("CMXParser::readCommands - instructionSize %i, instructionCode %i\n", instructionSize, instructionCode));
More information about the Libreoffice-commits
mailing list