[Libreoffice-commits] core.git: Branch 'aoo/trunk' - filter/source
Damjan Jovanovic
damjan at apache.org
Sun Oct 22 18:10:40 UTC 2017
filter/source/graphicfilter/idxf/dxfentrd.cxx | 45 ++++++++++++++++++++++----
filter/source/graphicfilter/idxf/dxfgrprd.cxx | 23 ++++++++-----
2 files changed, 53 insertions(+), 15 deletions(-)
New commits:
commit eb00260f8c5bc2225ba190d8d086f3b1f92212af
Author: Damjan Jovanovic <damjan at apache.org>
Date: Sun Oct 22 16:47:12 2017 +0000
Fix OSS-Fuzz issues #414, #415 and #416, which crash AOO due to
number parsing errors, lack of checking for negative length in arrays,
and the lack of memory that these problems eventually cause.
Patch by: me
diff --git a/filter/source/graphicfilter/idxf/dxfentrd.cxx b/filter/source/graphicfilter/idxf/dxfentrd.cxx
index de79b4a918a7..58986b40f6f0 100644
--- a/filter/source/graphicfilter/idxf/dxfentrd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfentrd.cxx
@@ -433,8 +433,19 @@ void DXFLWPolyLineEntity::EvaluateGroup( DXFGroupReader & rDGR )
case 90 :
{
nCount = rDGR.GetI();
- if ( nCount )
- pP = new DXFVector[ nCount ];
+ if ( rDGR.GetStatus() && nCount >= 0 )
+ {
+ try
+ {
+ pP = new DXFVector[ nCount ];
+ }
+ catch (::std::bad_alloc)
+ {
+ rDGR.SetError();
+ }
+ }
+ else
+ rDGR.SetError();
}
break;
case 70: nFlags = rDGR.GetI(); break;
@@ -611,8 +622,19 @@ sal_Bool DXFBoundaryPathData::EvaluateGroup( DXFGroupReader & rDGR )
case 93 :
{
nPointCount = rDGR.GetI();
- if ( nPointCount )
- pP = new DXFVector[ nPointCount ];
+ if ( rDGR.GetStatus() && nPointCount >= 0 )
+ {
+ try
+ {
+ pP = new DXFVector[ nPointCount ];
+ }
+ catch (::std::bad_alloc)
+ {
+ rDGR.SetError();
+ }
+ }
+ else
+ rDGR.SetError();
}
break;
case 72 : nHasBulgeFlag = rDGR.GetI(); break;
@@ -690,8 +712,19 @@ void DXFHatchEntity::EvaluateGroup( DXFGroupReader & rDGR )
{
bIsInBoundaryPathContext = sal_True;
nBoundaryPathCount = rDGR.GetI();
- if ( nBoundaryPathCount )
- pBoundaryPathData = new DXFBoundaryPathData[ nBoundaryPathCount ];
+ if ( rDGR.GetStatus() && nBoundaryPathCount >= 0 )
+ {
+ try
+ {
+ pBoundaryPathData = new DXFBoundaryPathData[ nBoundaryPathCount ];
+ }
+ catch (::std::bad_alloc)
+ {
+ rDGR.SetError();
+ }
+ }
+ else
+ rDGR.SetError();
}
break;
case 75 :
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.cxx b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
index 23f386d9e0d7..f94e30c64711 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
@@ -299,7 +299,6 @@ void DXFGroupReader::ReadLine(char * ptgt)
long DXFGroupReader::ReadI()
{
char sl[DXF_MAX_STRING_LEN+1],*p;
- long res,nv;
ReadLine(sl);
@@ -312,17 +311,23 @@ long DXFGroupReader::ReadI()
return 0;
}
+ char *start = p;
if (*p=='-') {
- nv=-1;
p++;
}
- else nv=1;
-
- res=0;
- do {
- res=res*10+(long)(*p-'0');
+ while (*p>='0' && *p<='9') {
p++;
- } while (*p>='0' && *p<='9');
+ }
+
+ char prev = *p;
+ *p = '\0';
+ char *end;
+ long res = strtol(start, &end, 10);
+ *p = prev;
+ if (end != p) {
+ bStatus=sal_False;
+ return 0;
+ }
while (*p==0x20) p++;
if (*p!=0) {
@@ -330,7 +335,7 @@ long DXFGroupReader::ReadI()
return 0;
}
- return res*nv;
+ return res;
}
More information about the Libreoffice-commits
mailing list