[Libreoffice-commits] core.git: Branch 'libreoffice-5-2' - vcl/source

[Caolán McNamara]

 vcl/source/gdi/metaact.cxx      |    2 +-
 vcl/source/gdi/svmconverter.cxx |    9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

New commits:
commit 6872899cc1716f251988dfb3c86aa04c716cfda4
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Jan 25 09:21:25 2017 +0000

    ofz#463 unable to mmap
    
    Reviewed-on: https://gerrit.libreoffice.org/33519
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    (cherry picked from commit f6c465bc8e7583a8321f5c881cb008b980e0e3fa)
    
    Change-Id: I509faeda019f42bbe7cdc5fc249f2ea2076bb702
    Reviewed-on: https://gerrit.libreoffice.org/33522
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: David Tardon <dtardon at redhat.com>

diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index 7bfa151..ac229f0 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -1114,7 +1114,7 @@ MetaTextArrayAction::MetaTextArrayAction( const Point& rStartPt,
 {
     const sal_Int32 nAryLen = pDXAry ? mnLen : 0;
 
-    if( nAryLen )
+    if (nAryLen > 0)
     {
         mpDXAry = new long[ nAryLen ];
         memcpy( mpDXAry, pDXAry, nAryLen * sizeof(long) );
diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx
index b1a1c7a..3a6e961 100644
--- a/vcl/source/gdi/svmconverter.cxx
+++ b/vcl/source/gdi/svmconverter.cxx
@@ -908,6 +908,15 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
                         std::unique_ptr<long[]> pDXAry;
                         if (nAryLen > 0)
                         {
+                            const size_t nMinRecordSize = sizeof(sal_Int32);
+                            const size_t nMaxRecords = rIStm.remainingSize() / nMinRecordSize;
+                            if (static_cast<sal_uInt32>(nAryLen) > nMaxRecords)
+                            {
+                                SAL_WARN("vcl.gdi", "Parsing error: " << nMaxRecords <<
+                                         " max possible entries, but " << nAryLen << " claimed, truncating");
+                                nAryLen = nMaxRecords;
+                            }
+
                             sal_Int32 nStrLen( aStr.getLength() );
 
                             pDXAry.reset(new long[ std::max( nAryLen, nStrLen ) ]);