[Libreoffice-commits] core.git: Branch 'libreoffice-5-3-0' - vcl/source

Caolán McNamara caolanm at redhat.com
Thu Jan 26 16:36:56 UTC 2017 

 vcl/source/gdi/svmconverter.cxx |   35 +++++++++++++++++++++++++----------
 1 file changed, 25 insertions(+), 10 deletions(-)

New commits:
commit 3df06a869bec90db2f675c17145ea6ddaf0d09b8
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Wed Jan 18 09:43:17 2017 +0000

    ofz: reduce scope, check stream, validate nActions
    
    (cherry picked from commit bd78b28a1233e26c023a52df6b119d60a61d53ad)
    
    Change-Id: Ie420ad40b0d852708828620cd26c2f746398f5a8
    Reviewed-on: https://gerrit.libreoffice.org/33259
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Michael Stahl <mstahl at redhat.com>
    (cherry picked from commit e0f262b998074eb493a56ff372c35b817e856b17)
    Reviewed-on: https://gerrit.libreoffice.org/33538
    Reviewed-by: Markus Mohrhard <markus.mohrhard at googlemail.com>
    Reviewed-by: Eike Rathke <erack at redhat.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx
index fcb64ac..50f6c64 100644
--- a/vcl/source/gdi/svmconverter.cxx
+++ b/vcl/source/gdi/svmconverter.cxx
@@ -473,12 +473,12 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
 
     char    aCode[ 5 ];
     Size    aPrefSz;
-    sal_Int16   nSize;
-    sal_Int16   nVersion;
 
     // read header
     rIStm.ReadBytes(aCode, sizeof(aCode));  // Identifier
+    sal_Int16 nSize(0);
     rIStm.ReadInt16( nSize );                                 // Size
+    sal_Int16 nVersion(0);
     rIStm.ReadInt16( nVersion );                              // Version
     sal_Int32 nTmp32(0);
     rIStm.ReadInt32( nTmp32 );
@@ -510,24 +510,37 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
         Point       aPt, aPt1;
         Size        aSz;
         Color       aActionColor;
-        sal_Int32       nTmp, nTmp1, nActionSize;
-        sal_Int32       nActions;
-        sal_Int16       nType;
 
         sal_uInt32  nUnicodeCommentStreamPos = 0;
         sal_Int32       nUnicodeCommentActionNumber = 0;
 
         ImplReadMapMode( rIStm, aMapMode );             // MapMode
-        rIStm.ReadInt32( nActions );                              // Action count
+        sal_Int32 nActions(0);
+        rIStm.ReadInt32( nActions );                    // Action count
+        if (nActions < 0)
+        {
+            SAL_WARN("vcl.gdi", "svm claims negative action count (" << nActions << ")");
+            nActions = 0;
+        }
+
+        const size_t nMinActionSize = sizeof(sal_uInt16) + sizeof(sal_Int32);
+        const size_t nMaxPossibleActions = rIStm.remainingSize() / nMinActionSize;
+        if (static_cast<sal_uInt32>(nActions) > nMaxPossibleActions)
+        {
+            SAL_WARN("vcl.gdi", "svm claims more actions (" << nActions << ") than stream could provide, truncating");
+            nActions = nMaxPossibleActions;
+        }
 
         rMtf.SetPrefSize( aPrefSz );
         rMtf.SetPrefMapMode( aMapMode );
         size_t nLastPolygonAction(0);
 
-        for (sal_Int32 i = 0; i < nActions; ++i)
+        for (sal_Int32 i = 0; i < nActions && rIStm.good(); ++i)
         {
+            sal_Int16 nType(0);
             rIStm.ReadInt16( nType );
             sal_Int32 nActBegin = rIStm.Tell();
+            sal_Int32 nActionSize(0);
             rIStm.ReadInt32( nActionSize );
 
             SAL_WARN_IF( ( nType > 33 ) && ( nType < 1024 ), "vcl", "Unknown GDIMetaAction while converting!" );
@@ -664,6 +677,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
                 case GDI_RECT_ACTION:
                 {
                     ImplReadRect( rIStm, aRect );
+                    sal_Int32 nTmp(0), nTmp1(0);
                     rIStm.ReadInt32( nTmp ).ReadInt32( nTmp1 );
 
                     if( nTmp || nTmp1 )
@@ -855,7 +869,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
 
                 case GDI_TEXT_ACTION:
                 {
-                    sal_Int32       nIndex, nLen;
+                    sal_Int32 nIndex(0), nLen(0), nTmp(0);
 
                     ReadPair( rIStm, aPt ).ReadInt32( nIndex ).ReadInt32( nLen ).ReadInt32( nTmp );
                     if (nTmp > 0)
@@ -876,7 +890,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
 
                 case GDI_TEXTARRAY_ACTION:
                 {
-                    sal_Int32   nIndex, nLen, nAryLen;
+                    sal_Int32 nIndex(0), nLen(0), nAryLen(0), nTmp(0);
 
                     ReadPair( rIStm, aPt ).ReadInt32( nIndex ).ReadInt32( nLen ).ReadInt32( nTmp ).ReadInt32( nAryLen );
                     if (nTmp > 0)
@@ -944,7 +958,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
 
                 case GDI_STRETCHTEXT_ACTION:
                 {
-                    sal_Int32       nIndex, nLen, nWidth;
+                    sal_Int32 nIndex(0), nLen(0), nWidth(0), nTmp(0);
 
                     ReadPair( rIStm, aPt ).ReadInt32( nIndex ).ReadInt32( nLen ).ReadInt32( nTmp ).ReadInt32( nWidth );
                     if (nTmp > 0)
@@ -1097,6 +1111,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
 
                 case GDI_MOVECLIPREGION_ACTION:
                 {
+                    sal_Int32 nTmp(0), nTmp1(0);
                     rIStm.ReadInt32( nTmp ).ReadInt32( nTmp1 );
                     rMtf.AddAction( new MetaMoveClipRegionAction( nTmp, nTmp1 ) );
                 }

More information about the Libreoffice-commits mailing list