[Libreoffice-commits] libvisio.git: 2 commits - src/lib

David Tardon dtardon at redhat.com
Sat Oct 21 14:41:33 UTC 2017 

 src/lib/VSDParser.cpp |   42 ++++++++++++++++++++----------------------
 1 file changed, 20 insertions(+), 22 deletions(-)

New commits:
commit 85529f5490b7b5d8ec3e8231db3b5640bce58839
Author: David Tardon <dtardon at redhat.com>
Date:   Sat Oct 21 16:12:06 2017 +0200

    be explicit
    
    Change-Id: I7b140fe35f32c96f51f21c67597a9e759cdca9e8

diff --git a/src/lib/VSDParser.cpp b/src/lib/VSDParser.cpp
index c6a996e..7ec88ae 100644
--- a/src/lib/VSDParser.cpp
+++ b/src/lib/VSDParser.cpp
@@ -22,18 +22,6 @@
 #include "VSDStylesCollector.h"
 #include "VSDMetaData.h"
 
-namespace
-{
-
-void sanitizeListLength(uint32_t &length, const std::size_t elem, librevenge::RVNGInputStream *const input)
-{
-  const unsigned long maxLength = libvisio::getRemainingLength(input) / elem;
-  if (length > maxLength)
-    length = maxLength;
-}
-
-}
-
 libvisio::VSDParser::VSDParser(librevenge::RVNGInputStream *input, librevenge::RVNGDrawingInterface *painter, librevenge::RVNGInputStream *container)
   : m_input(input), m_painter(painter), m_container(container), m_header(), m_collector(nullptr), m_shapeList(), m_currentLevel(0),
     m_stencils(), m_currentStencil(nullptr), m_shape(), m_isStencilStarted(false), m_isInStyles(false),
@@ -824,7 +812,8 @@ void libvisio::VSDParser::readNameIDX(librevenge::RVNGInputStream *input)
 {
   std::map<unsigned, VSDName> names;
   unsigned recordCount = readU32(input);
-  sanitizeListLength(recordCount, 13, input);
+  if (recordCount > getRemainingLength(input) / 13)
+    recordCount = getRemainingLength(input) / 13;
   for (unsigned i = 0; i < recordCount; ++i)
   {
     unsigned nameId = readU32(input);
@@ -1629,7 +1618,8 @@ void libvisio::VSDParser::readShapeData(librevenge::RVNGInputStream *input)
     unsigned char xType = readU8(input);
     unsigned char yType = readU8(input);
     unsigned pointCount = readU32(input);
-    sanitizeListLength(pointCount, 16, input);
+    if (pointCount > getRemainingLength(input) / 16)
+      pointCount = getRemainingLength(input) / 16;
 
     for (unsigned i = 0; i < pointCount; i++)
     {
@@ -1654,7 +1644,8 @@ void libvisio::VSDParser::readShapeData(librevenge::RVNGInputStream *input)
     unsigned char xType = readU8(input);
     unsigned char yType = readU8(input);
     unsigned pointCount = readU32(input);
-    sanitizeListLength(pointCount, 32, input);
+    if (pointCount > getRemainingLength(input) / 32)
+      pointCount = getRemainingLength(input) / 32;
 
     std::vector<double> knotVector;
     std::vector<std::pair<double, double> > controlPoints;
commit a0694f22ddf9ba2fa8a33940ac4761d48b0eef46
Author: David Tardon <dtardon at redhat.com>
Date:   Sat Oct 21 16:08:53 2017 +0200

    check length, not number of elements
    
    Regression since commit cf0303b0ca57d3f54aa50686d38aaa149c02d034
    "oss-fuzz: avoid big allocations".
    
    Change-Id: Ib0520513469d1de8c00085d1a86b9885b67873da

diff --git a/src/lib/VSDParser.cpp b/src/lib/VSDParser.cpp
index 69d3d56..c6a996e 100644
--- a/src/lib/VSDParser.cpp
+++ b/src/lib/VSDParser.cpp
@@ -946,7 +946,8 @@ void libvisio::VSDParser::readGeomList(librevenge::RVNGInputStream *input)
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
     std::vector<unsigned> geometryOrder;
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     geometryOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
       geometryOrder.push_back(readU32(input));
@@ -971,7 +972,8 @@ void libvisio::VSDParser::readCharList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> characterOrder;
     characterOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -992,7 +994,8 @@ void libvisio::VSDParser::readParaList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> paragraphOrder;
     paragraphOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -1017,7 +1020,8 @@ void libvisio::VSDParser::readTabsDataList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> tabsOrder;
     tabsOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -1036,7 +1040,8 @@ void libvisio::VSDParser::readLayerList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> layerOrder;
     layerOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -1210,7 +1215,8 @@ void libvisio::VSDParser::readShapeList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, sizeof(uint32_t), input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> shapeOrder;
     shapeOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -1722,7 +1728,8 @@ void libvisio::VSDParser::readFieldList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, sizeof(uint32_t), input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> fieldOrder;
     fieldOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)

More information about the Libreoffice-commits mailing list