[Libreoffice-commits] core.git: Branch 'libreoffice-5-3' - lotuswordpro/source

[Caolán McNamara]

 lotuswordpro/source/filter/lwpgrfobj.cxx  |    8 ++++++++
 lotuswordpro/source/filter/lwpobjstrm.cxx |    6 ++++++
 lotuswordpro/source/filter/lwpobjstrm.hxx |    1 +
 3 files changed, 15 insertions(+)

New commits:
commit 7dc65a1e0ff3059bc1f7ab77c302930e61f72831
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Mar 10 10:21:41 2017 +0000

    ofz#801 avoid oom
    
    Change-Id: Id3167d1eb3f058543ab7596008012d51b3d242b7
    (cherry picked from commit 1353ebe535732022aef4377030d86ad7153c3144)
    Reviewed-on: https://gerrit.libreoffice.org/35036
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>

diff --git a/lotuswordpro/source/filter/lwpgrfobj.cxx b/lotuswordpro/source/filter/lwpgrfobj.cxx
index 882f7d2..c3dc645 100644
--- a/lotuswordpro/source/filter/lwpgrfobj.cxx
+++ b/lotuswordpro/source/filter/lwpgrfobj.cxx
@@ -113,6 +113,14 @@ void LwpGraphicObject::Read()
     unsigned char *pServerContext = nullptr;
     if (nServerContextSize > 0)
     {
+        sal_uInt16 nMaxPossibleSize = m_pObjStrm->remainingSize();
+
+        if (nServerContextSize > nMaxPossibleSize)
+        {
+            SAL_WARN("lwp", "stream too short for claimed no of records");
+            nServerContextSize = nMaxPossibleSize;
+        }
+
         pServerContext = new unsigned char[nServerContextSize];
         m_pObjStrm->QuickRead(pServerContext, static_cast<sal_uInt16>(nServerContextSize));
         if (nServerContextSize > 44)
diff --git a/lotuswordpro/source/filter/lwpobjstrm.cxx b/lotuswordpro/source/filter/lwpobjstrm.cxx
index c9350d8..bc968a5 100644
--- a/lotuswordpro/source/filter/lwpobjstrm.cxx
+++ b/lotuswordpro/source/filter/lwpobjstrm.cxx
@@ -156,6 +156,12 @@ void LwpObjectStream::ReleaseBuffer()
         }
     }
 }
+
+sal_uInt16 LwpObjectStream::remainingSize() const
+{
+    return m_nBufSize - m_nReadPos;
+}
+
 /**
  * @descr  read len bytes from object stream to buffer
  */
diff --git a/lotuswordpro/source/filter/lwpobjstrm.hxx b/lotuswordpro/source/filter/lwpobjstrm.hxx
index 918659d..83062ee 100644
--- a/lotuswordpro/source/filter/lwpobjstrm.hxx
+++ b/lotuswordpro/source/filter/lwpobjstrm.hxx
@@ -85,6 +85,7 @@ private:
     LwpSvStream* m_pStrm;
     bool m_bCompressed;
 public:
+    sal_uInt16 remainingSize() const;
     sal_uInt16 QuickRead(void* buf, sal_uInt16 len);
     sal_uInt16 GetPos() { return m_nReadPos; }
     void SeekRel(sal_uInt16 pos);