[Libreoffice-commits] core.git: vcl/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Fri Aug 6 09:55:18 UTC 2021


 vcl/source/filter/svm/SvmReader.cxx |   38 ++++++++++++++++++++----------------
 1 file changed, 22 insertions(+), 16 deletions(-)

New commits:
commit fb41deb8b86a48d9dbfbd2e65ee342e39a94f4d9
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Aug 6 09:24:06 2021 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Fri Aug 6 11:54:43 2021 +0200

    cid#1487034 Untrusted value as argument
    
    Change-Id: I7f50e8b1676d36a3675657d160c10196c08c26d4
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/120102
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/vcl/source/filter/svm/SvmReader.cxx b/vcl/source/filter/svm/SvmReader.cxx
index bee25f2f1e43..311a43fc8f50 100644
--- a/vcl/source/filter/svm/SvmReader.cxx
+++ b/vcl/source/filter/svm/SvmReader.cxx
@@ -655,19 +655,25 @@ rtl::Reference<MetaAction> SvmReader::TextHandler(ImplMetaReadData* pData)
     mrStream.ReadUInt16(nTmpLen);
 
     pAction->SetPoint(aPoint);
-    pAction->SetIndex(nTmpIndex);
-    pAction->SetLen(nTmpLen);
 
     if (aCompat.GetVersion() >= 2) // Version 2
         aStr = read_uInt16_lenPrefixed_uInt16s_ToOUString(mrStream);
 
-    if (nTmpIndex + nTmpLen > aStr.getLength())
+    if (nTmpIndex > aStr.getLength())
     {
-        SAL_WARN("vcl.gdi", "inconsistent offset and len");
-        pAction->SetIndex(0);
-        pAction->SetLen(aStr.getLength());
+        SAL_WARN("vcl.gdi", "inconsistent offset");
+        nTmpIndex = aStr.getLength();
     }
 
+    if (nTmpLen > aStr.getLength() - nTmpIndex)
+    {
+        SAL_WARN("vcl.gdi", "inconsistent len");
+        nTmpLen = aStr.getLength() - nTmpIndex;
+    }
+
+    pAction->SetIndex(nTmpIndex);
+    pAction->SetLen(nTmpLen);
+
     pAction->SetText(aStr);
 
     return pAction;
@@ -692,16 +698,14 @@ rtl::Reference<MetaAction> SvmReader::TextArrayHandler(ImplMetaReadData* pData)
 
     sal_uInt16 nTmpIndex(0);
     mrStream.ReadUInt16(nTmpIndex);
-    pAction->SetIndex(nTmpIndex);
 
     sal_uInt16 nTmpLen(0);
     mrStream.ReadUInt16(nTmpLen);
-    pAction->SetLen(nTmpLen);
 
     sal_Int32 nAryLen(0);
     mrStream.ReadInt32(nAryLen);
 
-    if (nTmpIndex + nTmpLen > aStr.getLength())
+    if (nTmpLen > aStr.getLength() - nTmpIndex)
     {
         SAL_WARN("vcl.gdi", "inconsistent offset and len");
         pAction->SetIndex(0);
@@ -709,6 +713,9 @@ rtl::Reference<MetaAction> SvmReader::TextArrayHandler(ImplMetaReadData* pData)
         return pAction;
     }
 
+    pAction->SetIndex(nTmpIndex);
+    pAction->SetLen(nTmpLen);
+
     if (nAryLen)
     {
         // #i9762#, #106172# Ensure that DX array is at least mnLen entries long
@@ -740,7 +747,7 @@ rtl::Reference<MetaAction> SvmReader::TextArrayHandler(ImplMetaReadData* pData)
         aStr = read_uInt16_lenPrefixed_uInt16s_ToOUString(mrStream);
         pAction->SetText(aStr);
 
-        if (nTmpIndex + nTmpLen > aStr.getLength())
+        if (nTmpLen > aStr.getLength() - nTmpIndex)
         {
             SAL_WARN("vcl.gdi", "inconsistent offset and len");
             pAction->SetIndex(0);
@@ -795,7 +802,7 @@ rtl::Reference<MetaAction> SvmReader::TextRectHandler(ImplMetaReadData* pData)
     aSerializer.readRectangle(aRect);
     OUString aStr;
     aStr = mrStream.ReadUniOrByteString(pData->meActualCharSet);
-    sal_uInt16 nTmp;
+    sal_uInt16 nTmp(0);
     mrStream.ReadUInt16(nTmp);
 
     pAction->SetRect(aRect);
@@ -1219,9 +1226,8 @@ rtl::Reference<MetaAction> SvmReader::TextAlignHandler()
 {
     rtl::Reference<MetaTextAlignAction> pAction(new MetaTextAlignAction);
 
-    sal_uInt16 nTmp16(0);
-
     VersionCompatRead aCompat(mrStream);
+    sal_uInt16 nTmp16(0);
     mrStream.ReadUInt16(nTmp16);
 
     pAction->SetTextAlign(static_cast<TextAlign>(nTmp16));
@@ -1264,10 +1270,10 @@ rtl::Reference<MetaAction> SvmReader::PushHandler()
     rtl::Reference<MetaPushAction> pAction(new MetaPushAction);
 
     VersionCompatRead aCompat(mrStream);
-    sal_uInt16 tmp;
-    mrStream.ReadUInt16(tmp);
+    sal_uInt16 nTmp(0);
+    mrStream.ReadUInt16(nTmp);
 
-    pAction->SetPushFlags(static_cast<PushFlags>(tmp));
+    pAction->SetPushFlags(static_cast<PushFlags>(nTmp));
 
     return pAction;
 }


More information about the Libreoffice-commits mailing list