[Libreoffice-commits] core.git: vcl/source
Caolán McNamara
caolanm at redhat.com
Thu Mar 9 15:51:09 UTC 2017
vcl/source/gdi/svmconverter.cxx | 65 ++++++++++++++++++++++++----------------
1 file changed, 40 insertions(+), 25 deletions(-)
New commits:
commit ff8f6629287d0d1bdbcf4f8ed16cb8d077d08c7a
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Jan 19 16:56:34 2017 +0000
Resolves: ofz#424 guard against broken dxary length
Change-Id: Ia2569e963edd75cd6c27399d33e73bafe8b3f073
Reviewed-on: https://gerrit.libreoffice.org/33319
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/vcl/source/gdi/svmconverter.cxx b/vcl/source/gdi/svmconverter.cxx
index c1161a4..efcc250 100644
--- a/vcl/source/gdi/svmconverter.cxx
+++ b/vcl/source/gdi/svmconverter.cxx
@@ -939,6 +939,7 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
OUString aStr(OStringToOUString(aByteStr, eActualCharSet));
std::unique_ptr<long[]> pDXAry;
+ sal_Int32 nDXAryLen = 0;
if (nAryLen > 0)
{
const size_t nMinRecordSize = sizeof(sal_Int32);
@@ -952,36 +953,50 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm, GDIMetaFile& rMtf )
sal_Int32 nStrLen( aStr.getLength() );
- pDXAry.reset(new long[ std::max( nAryLen, nStrLen ) ]);
+ nDXAryLen = std::max(nAryLen, nStrLen);
- for (sal_Int32 j = 0; j < nAryLen; ++j)
- rIStm.ReadInt32( nTmp ), pDXAry[ j ] = nTmp;
-
- // #106172# Add last DX array elem, if missing
- if( nAryLen != nStrLen )
+ if (nDXAryLen < nLen)
+ {
+ //MetaTextArrayAction ctor expects pDXAry to be >= nLen if set, so if this can't
+ //be achieved, don't read it, it's utterly broken.
+ SAL_WARN("vcl.gdi", "dxary too short, discarding completely");
+ rIStm.SeekRel(sizeof(sal_Int32) * nDXAryLen);
+ nLen = 0;
+ nIndex = 0;
+ }
+ else
{
- if( nAryLen+1 == nStrLen )
+ pDXAry.reset(new long[nDXAryLen]);
+
+ for (sal_Int32 j = 0; j < nAryLen; ++j)
+ rIStm.ReadInt32( nTmp ), pDXAry[ j ] = nTmp;
+
+ // #106172# Add last DX array elem, if missing
+ if( nAryLen != nStrLen )
{
- std::unique_ptr<long[]> pTmpAry(new long[nStrLen]);
-
- aFontVDev->GetTextArray( aStr, pTmpAry.get(), nIndex, nLen );
-
- // now, the difference between the
- // last and the second last DX array
- // is the advancement for the last
- // glyph. Thus, to complete our meta
- // action's DX array, just add that
- // difference to last elem and store
- // in very last.
- if( nStrLen > 1 )
- pDXAry[ nStrLen-1 ] = pDXAry[ nStrLen-2 ] + pTmpAry[ nStrLen-1 ] - pTmpAry[ nStrLen-2 ];
- else
- pDXAry[ nStrLen-1 ] = pTmpAry[ nStrLen-1 ]; // len=1: 0th position taken to be 0
- }
+ if( nAryLen+1 == nStrLen )
+ {
+ std::unique_ptr<long[]> pTmpAry(new long[nStrLen]);
+
+ aFontVDev->GetTextArray( aStr, pTmpAry.get(), nIndex, nLen );
+
+ // now, the difference between the
+ // last and the second last DX array
+ // is the advancement for the last
+ // glyph. Thus, to complete our meta
+ // action's DX array, just add that
+ // difference to last elem and store
+ // in very last.
+ if( nStrLen > 1 )
+ pDXAry[ nStrLen-3 ] = pDXAry[ nStrLen-2 ] + pTmpAry[ nStrLen-1 ] - pTmpAry[ nStrLen-2 ];
+ else
+ pDXAry[ nStrLen-1 ] = pTmpAry[ nStrLen-1 ]; // len=1: 0th position taken to be 0
+ }
#ifdef DBG_UTIL
- else
- OSL_FAIL("More than one DX array element missing on SVM import");
+ else
+ OSL_FAIL("More than one DX array element missing on SVM import");
#endif
+ }
}
}
if ( nUnicodeCommentActionNumber == i )
More information about the Libreoffice-commits
mailing list