[Libreoffice-commits] core.git: emfio/source
Caolán McNamara
caolanm at redhat.com
Sat Sep 30 10:24:25 UTC 2017
emfio/source/reader/emfreader.cxx | 7 +++++--
emfio/source/reader/mtftools.cxx | 34 ++++++++++++++++++++++------------
2 files changed, 27 insertions(+), 14 deletions(-)
New commits:
commit e8879de7bcd940fd1a92e426d807777162fa1f73
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Sep 29 15:26:59 2017 +0100
ofz+ubsan
Change-Id: I03f4bae4dd35eea9b5d3996e0655ca9a2ccd6a5f
Reviewed-on: https://gerrit.libreoffice.org/42944
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/emfio/source/reader/emfreader.cxx b/emfio/source/reader/emfreader.cxx
index 8203951029f8..e9ff29010ebd 100644
--- a/emfio/source/reader/emfreader.cxx
+++ b/emfio/source/reader/emfreader.cxx
@@ -22,6 +22,7 @@
#include <basegfx/matrix/b2dhommatrix.hxx>
#include <vcl/dibtools.hxx>
#include <o3tl/make_unique.hxx>
+#include <o3tl/safeint.hxx>
#include <tools/stream.hxx>
#include <memory>
@@ -1590,8 +1591,10 @@ namespace emfio
}
std::unique_ptr<long[]> pDXAry, pDYAry;
- sal_Int32 nDxSize = nLen * ((nOptions & ETO_PDY) ? 8 : 4);
- if ( offDx && (( nCurPos + offDx + nDxSize ) <= nNextPos ) && nNextPos <= mnEndPos )
+
+ sal_Int32 nDxSize;
+ bool bOverflow = o3tl::checked_multiply<sal_Int32>(nLen, (nOptions & ETO_PDY) ? 8 : 4, nDxSize);
+ if (!bOverflow && offDx && ((nCurPos + offDx + nDxSize) <= nNextPos ) && nNextPos <= mnEndPos)
{
mpInputStream->Seek( nCurPos + offDx );
pDXAry.reset( new long[aText.getLength()] );
diff --git a/emfio/source/reader/mtftools.cxx b/emfio/source/reader/mtftools.cxx
index 212b93fc5b9f..7f8d477c7b22 100644
--- a/emfio/source/reader/mtftools.cxx
+++ b/emfio/source/reader/mtftools.cxx
@@ -386,16 +386,24 @@ namespace emfio
break;
default :
{
- fX2 -= mnWinOrgX;
- fY2 -= mnWinOrgY;
- fX2 /= mnWinExtX;
- fY2 /= mnWinExtY;
- fX2 *= mnDevWidth;
- fY2 *= mnDevHeight;
- fX2 += mnDevOrgX;
- fY2 += mnDevOrgY; // fX2, fY2 now in device units
- fX2 *= (double)mnMillX * 100.0 / (double)mnPixX;
- fY2 *= (double)mnMillY * 100.0 / (double)mnPixY;
+ if (mnPixX == 0 || mnPixY == 0)
+ {
+ SAL_WARN("vcl.emf", "invalid scaling factor");
+ return Point();
+ }
+ else
+ {
+ fX2 -= mnWinOrgX;
+ fY2 -= mnWinOrgY;
+ fX2 /= mnWinExtX;
+ fY2 /= mnWinExtY;
+ fX2 *= mnDevWidth;
+ fY2 *= mnDevHeight;
+ fX2 += mnDevOrgX;
+ fY2 += mnDevOrgY; // fX2, fY2 now in device units
+ fX2 *= (double)mnMillX * 100.0 / (double)mnPixX;
+ fY2 *= (double)mnMillY * 100.0 / (double)mnPixY;
+ }
}
break;
}
@@ -1421,7 +1429,8 @@ namespace emfio
// #i121382# Map DXArray using WorldTransform
const Size aSizeX(ImplMap(Size(nSumX, 0)));
const basegfx::B2DVector aVectorX(aSizeX.Width(), aSizeX.Height());
- pDXArry[i] = basegfx::fround(aVectorX.getLength()) * (nSumX >= 0 ? 1 : -1);
+ pDXArry[i] = basegfx::fround(aVectorX.getLength());
+ pDXArry[i] *= (nSumX >= 0 ? 1 : -1);
if (pDYArry)
{
@@ -1430,7 +1439,8 @@ namespace emfio
const Size aSizeY(ImplMap(Size(0, nSumY)));
const basegfx::B2DVector aVectorY(aSizeY.Width(), aSizeY.Height());
// Reverse Y
- pDYArry[i] = basegfx::fround(aVectorY.getLength()) * (nSumY >= 0 ? -1 : 1);
+ pDYArry[i] = basegfx::fround(aVectorY.getLength());
+ pDYArry[i] *= (nSumY >= 0 ? -1 : 1);
}
}
}
More information about the Libreoffice-commits
mailing list