[Libreoffice-commits] core.git: Branch 'libreoffice-5-3-0' - filter/source
Caolán McNamara
caolanm at redhat.com
Thu Jan 26 16:38:27 UTC 2017
filter/source/graphicfilter/idxf/dxfentrd.cxx | 15 ++++++++++++---
filter/source/graphicfilter/idxf/dxfgrprd.cxx | 4 ++++
filter/source/graphicfilter/idxf/dxfgrprd.hxx | 1 +
3 files changed, 17 insertions(+), 3 deletions(-)
New commits:
commit 7e83bd01ac0a8ac5f07c3d28db69141b3b7b1d6c
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Jan 17 21:19:13 2017 +0000
ofz#414 crash in DXFHatchEntity::EvaluateGroup
(cherry picked from commit 5434d51d12611eb2726ce1394eb01921d008fa89)
ofz#415 crash in DXFVector::DXFVector
(cherry picked from commit 2a9b4363ca190f1d783d540e95a031357f852858)
Change-Id: I15c8cb7aeb8c45f32357afd0ea2f550ffe11dbf7
Reviewed-on: https://gerrit.libreoffice.org/33233
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit a304efedd2ca20f9ad29c18c996d00aadf30cf12)
Reviewed-on: https://gerrit.libreoffice.org/33539
Reviewed-by: Markus Mohrhard <markus.mohrhard at googlemail.com>
Reviewed-by: Eike Rathke <erack at redhat.com>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/filter/source/graphicfilter/idxf/dxfentrd.cxx b/filter/source/graphicfilter/idxf/dxfentrd.cxx
index 85508ac..d4f7e30 100644
--- a/filter/source/graphicfilter/idxf/dxfentrd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfentrd.cxx
@@ -422,8 +422,11 @@ void DXFLWPolyLineEntity::EvaluateGroup( DXFGroupReader & rDGR )
case 90 :
{
nCount = rDGR.GetI();
- if ( nCount )
+ // limit alloc to max reasonable size based on remaining data in stream
+ if (nCount > 0 && static_cast<sal_uInt32>(nCount) <= rDGR.remainingSize())
pP = new DXFVector[ nCount ];
+ else
+ nCount = 0;
}
break;
case 70: nFlags = rDGR.GetI(); break;
@@ -600,8 +603,11 @@ bool DXFBoundaryPathData::EvaluateGroup( DXFGroupReader & rDGR )
case 93 :
{
nPointCount = rDGR.GetI();
- if ( nPointCount )
+ // limit alloc to max reasonable size based on remaining data in stream
+ if (nPointCount > 0 && static_cast<sal_uInt32>(nPointCount) <= rDGR.remainingSize())
pP = new DXFVector[ nPointCount ];
+ else
+ nPointCount = 0;
}
break;
case 72 : nHasBulgeFlag = rDGR.GetI(); break;
@@ -679,8 +685,11 @@ void DXFHatchEntity::EvaluateGroup( DXFGroupReader & rDGR )
{
bIsInBoundaryPathContext = true;
nBoundaryPathCount = rDGR.GetI();
- if ( nBoundaryPathCount )
+ // limit alloc to max reasonable size based on remaining data in stream
+ if (nBoundaryPathCount > 0 && static_cast<sal_uInt32>(nBoundaryPathCount) <= rDGR.remainingSize())
pBoundaryPathData = new DXFBoundaryPathData[ nBoundaryPathCount ];
+ else
+ nBoundaryPathCount = 0;
}
break;
case 75 :
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.cxx b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
index caa2c42..a6c02a4 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
@@ -217,5 +217,9 @@ void DXFGroupReader::ReadS()
S = DXFReadLine(rIS);
}
+sal_uInt64 DXFGroupReader::remainingSize() const
+{
+ return rIS.remainingSize();
+}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.hxx b/filter/source/graphicfilter/idxf/dxfgrprd.hxx
index c936b33..09bbcd3 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.hxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.hxx
@@ -59,6 +59,7 @@ public:
// This read must have returned a group code for datatype String.
// If not NULL is returend
+ sal_uInt64 remainingSize() const;
private:
long ReadI();
More information about the Libreoffice-commits
mailing list