[Libreoffice-commits] core.git: emfio/source

Caolán McNamara caolanm at redhat.com
Thu Feb 8 14:59:10 UTC 2018 

 emfio/source/reader/wmfreader.cxx |   28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

New commits:
commit 37e5c9efb19224974a3861eae18e16d6432c6bde
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Feb 8 11:13:47 2018 +0000

    ofz: timeout
    
    Change-Id: I3eff48549761aa8fa2569cd23c122f98fb2ea491
    Reviewed-on: https://gerrit.libreoffice.org/49419
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/emfio/source/reader/wmfreader.cxx b/emfio/source/reader/wmfreader.cxx
index e0822757eefe..983fe70a1a4e 100644
--- a/emfio/source/reader/wmfreader.cxx
+++ b/emfio/source/reader/wmfreader.cxx
@@ -511,14 +511,30 @@ namespace emfio
 
             case W_META_TEXTOUT:
             {
+                //record is Recordsize, RecordFunction, StringLength, <String>, YStart, XStart
+                const sal_uInt32 nNonStringLen = sizeof(sal_uInt32) + 4 * sizeof(sal_uInt16);
+                const sal_uInt32 nRecSize = mnRecSize * 2;
                 sal_uInt16 nLength = 0;
-                mpInputStream->ReadUInt16( nLength );
-                if ( nLength )
+                mpInputStream->ReadUInt16(nLength);
+                sal_uInt16 nStoredLength = (nLength + 1) &~ 1;
+
+                if (nRecSize < nNonStringLen)
+                {
+                    SAL_WARN("vcl.wmf", "W_META_TEXTOUT too short");
+                    break;
+                }
+
+                if (nRecSize - nNonStringLen < nStoredLength)
+                {
+                    SAL_WARN("vcl.wmf", "W_META_TEXTOUT too short, truncating string");
+                    nLength = nStoredLength = nRecSize - nNonStringLen;
+                }
+
+                if (nLength)
                 {
-                    std::unique_ptr<char[]> pChar(new char[ ( nLength + 1 ) &~ 1 ]);
-                    nLength = std::min<sal_uInt64>(nLength, mpInputStream->ReadBytes(pChar.get(), (nLength + 1) &~ 1));
-                    OUString aText( pChar.get(), nLength, GetCharSet() );
-                    pChar.reset();
+                    std::vector<char> aChars(nStoredLength);
+                    nLength = std::min<sal_uInt16>(nLength, mpInputStream->ReadBytes(aChars.data(), aChars.size()));
+                    OUString aText(aChars.data(), nLength, GetCharSet());
                     Point aPosition( ReadYX() );
                     DrawText( aPosition, aText );
                 }

More information about the Libreoffice-commits mailing list