[Libreoffice-commits] core.git: Branch 'libreoffice-5-3' - vcl/source
Caolán McNamara
caolanm at redhat.com
Mon Sep 18 10:24:21 UTC 2017
vcl/source/gdi/jobset.cxx | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
New commits:
commit 1eb3822d74f535f75aa336b27568ee8a6084c4dd
Author: Caolán McNamara <caolanm at redhat.com>
Date: Sun Sep 17 17:38:39 2017 +0100
detect corrupted job setup
Change-Id: I0d3b4850c3d4c015a0a7e5d36d87113a749c7e0f
Reviewed-on: https://gerrit.libreoffice.org/42385
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
index f80e246a5c68..31ee4f08dca5 100644
--- a/vcl/source/gdi/jobset.cxx
+++ b/vcl/source/gdi/jobset.cxx
@@ -239,7 +239,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
sal_uInt16 nSystem = 0;
rIStream.ReadUInt16( nSystem );
- const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
+ size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
if (nRead > rIStream.remainingSize())
{
SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
@@ -248,7 +248,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
}
sal_uInt64 const nFirstPos = rIStream.Tell();
std::unique_ptr<char[]> pTempBuf(new char[nRead]);
- rIStream.ReadBytes(pTempBuf.get(), nRead);
+ nRead = rIStream.ReadBytes(pTempBuf.get(), nRead);
if (nRead >= sizeof(ImplOldJobSetupData))
{
ImplOldJobSetupData* pData = reinterpret_cast<ImplOldJobSetupData*>(pTempBuf.get());
@@ -278,11 +278,19 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
rJobData.SetPaperHeight( (long)SVBT32ToUInt32( pOldJobData->nPaperHeight ) );
if ( rJobData.GetDriverDataLen() )
{
- const sal_uInt8* pDriverData = reinterpret_cast<sal_uInt8*>(pOldJobData) + nOldJobDataSize;
- sal_uInt8* pNewDriverData = static_cast<sal_uInt8*>(
- rtl_allocateMemory( rJobData.GetDriverDataLen() ));
- memcpy( pNewDriverData, pDriverData, rJobData.GetDriverDataLen() );
- rJobData.SetDriverData( pNewDriverData );
+ const char* pDriverData = reinterpret_cast<const char*>(pOldJobData) + nOldJobDataSize;
+ const char* pDriverDataEnd = pDriverData + rJobData.GetDriverDataLen();
+ if (pDriverDataEnd > pTempBuf.get() + nRead)
+ {
+ SAL_WARN("vcl", "corrupted job setup");
+ }
+ else
+ {
+ sal_uInt8* pNewDriverData = static_cast<sal_uInt8*>(
+ rtl_allocateMemory( rJobData.GetDriverDataLen() ));
+ memcpy( pNewDriverData, pDriverData, rJobData.GetDriverDataLen() );
+ rJobData.SetDriverData( pNewDriverData );
+ }
}
if( nSystem == JOBSET_FILE605_SYSTEM )
{
More information about the Libreoffice-commits
mailing list