[Libreoffice-commits] libcdr.git: src/lib
David Tardon
dtardon at redhat.com
Fri Sep 15 19:39:11 UTC 2017
src/lib/CMXParser.cpp | 6 ++++++
1 file changed, 6 insertions(+)
New commits:
commit 30fa9bc78c1112ebb0a6778d0b8120b9a1fa8ab5
Author: David Tardon <dtardon at redhat.com>
Date: Fri Sep 15 21:33:54 2017 +0200
cid#1371577 sanitize loop bounds
Change-Id: Iaeff2dbce1cd8b5cd5863c77ae20adf6eb698076
diff --git a/src/lib/CMXParser.cpp b/src/lib/CMXParser.cpp
index 625867d..26fd3e4 100644
--- a/src/lib/CMXParser.cpp
+++ b/src/lib/CMXParser.cpp
@@ -1142,6 +1142,8 @@ bool libcdr::CMXParser::readFill(librevenge::RVNGInputStream *input)
case CMX_Tag_RenderAttr_FillSpec_Fountain_Color:
{
unsigned short colorCount = readU16(input, m_bigEndian);
+ if (colorCount > getRemainingLength(input) / 4)
+ colorCount = getRemainingLength(input) / 4;
for (unsigned short i = 0; i < colorCount; ++i)
{
unsigned short colorRef = readU16(input, m_bigEndian);
@@ -1173,6 +1175,8 @@ bool libcdr::CMXParser::readFill(librevenge::RVNGInputStream *input)
/* unsigned short steps = */ readU16(input, m_bigEndian);
gradient.m_mode = (unsigned char)(readU16(input, m_bigEndian) & 0xff);
unsigned short colorCount = readU16(input, m_bigEndian);
+ if (colorCount > getRemainingLength(input) / 4)
+ colorCount = getRemainingLength(input) / 4;
for (unsigned short i = 0; i < colorCount; ++i)
{
unsigned short colorRef = readU16(input, m_bigEndian);
@@ -1193,6 +1197,8 @@ bool libcdr::CMXParser::readFill(librevenge::RVNGInputStream *input)
{
/* unsigned atom = */ readU32(input, m_bigEndian);
unsigned short count = readU16(input, m_bigEndian);
+ if (count > getRemainingLength(input) / 2)
+ count = getRemainingLength(input) / 2;
for (unsigned short i = 0; i < count; ++i)
readU16(input, m_bigEndian);
readString(input);
More information about the Libreoffice-commits
mailing list