[Libreoffice-commits] core.git: vcl/source

Fri Feb 17 21:05:59 UTC 2017

vcl/source/gdi/metaact.cxx |    7 +++++++
 1 file changed, 7 insertions(+)

New commits:
commit 6f53409ef3a45e0c26cc87247dd2ea9aa4539d55
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Feb 17 20:49:58 2017 +0000

    ofz: libFuzzer: out-of-memory
    
    from "unstable" log file https://oss-fuzz-build-logs.storage.googleapis.com/build_logs/libreoffice/latest.txt
    
     #5 0x617248 in operator new[](unsigned long) /src/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:84
     #6 0x710843 in MetaCommentAction::Read(SvStream&, ImplMetaReadData*) /src/libreoffice/vcl/source/gdi/metaact.cxx:3363:18
     #7 0x6e1921 in MetaAction::ReadMetaAction(SvStream&, ImplMetaReadData*) /src/libreoffice/vcl/source/gdi/metaact.cxx:266:18
    
    Change-Id: I518adea27565d1fbe91c8817f41850deb0ba9877

diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index 05b24da..3ef9002 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -3354,6 +3354,13 @@ void MetaCommentAction::Read( SvStream& rIStm, ImplMetaReadData* )
     maComment = read_uInt16_lenPrefixed_uInt8s_ToOString(rIStm);
     rIStm.ReadInt32( mnValue ).ReadUInt32( mnDataSize );
 
+    if (mnDataSize > rIStm.remainingSize())
+    {
+        SAL_WARN("vcl.gdi", "Parsing error: " << rIStm.remainingSize() <<
+                 " available data, but " << mnDataSize << " claimed, truncating");
+        mnDataSize = rIStm.remainingSize();
+    }
+
     SAL_INFO("vcl.gdi", "MetaCommentAction::Read " << maComment);
 
     delete[] mpData;
