[Libreoffice-commits] core.git: filter/source sd/qa

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Fri Jan 1 21:07:47 UTC 2021 

 filter/source/msfilter/msdffimp.cxx |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

New commits:
commit f400e883044143f999c460375a293647b4a57244
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Jan 1 19:17:30 2021 +0000
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Fri Jan 1 22:07:04 2021 +0100

    ofz#29151 short read
    
    Change-Id: I908d19903ff0b16f5c6a87b8aa989b6a410a7b3a
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108563
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx
index bed7bdcc283d..442509617f91 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -4183,9 +4183,11 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r
     if( maShapeRecords.SeekToContent( rSt,
         DFF_msofbtUDefProp ) )
     {
-        sal_uInt32  nBytesLeft = maShapeRecords.Current()->nRecLen;
+        sal_uInt32 nBytesLeft = maShapeRecords.Current()->nRecLen;
         while( 5 < nBytesLeft )
         {
+            if (rSt.remainingSize() < 6)
+                break;
             sal_uInt16 nPID(0);
             rSt.ReadUInt16(nPID);
             if (!rSt.good())
@@ -4199,11 +4201,11 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r
                 mbRotateGranientFillWithAngle = nUDData & 0x20;
                 break;
             }
-            nBytesLeft  -= 6;
+            nBytesLeft -= 6;
         }
     }
     aObjData.bShapeType = maShapeRecords.SeekToContent( rSt, DFF_msofbtSp );
-    if ( aObjData.bShapeType )
+    if (aObjData.bShapeType && rSt.remainingSize() >= 8)
     {
         sal_uInt32 temp;
         rSt.ReadUInt32( aObjData.nShapeId )
@@ -4247,7 +4249,7 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r
     }
 
     aObjData.bChildAnchor = maShapeRecords.SeekToContent( rSt, DFF_msofbtChildAnchor, SEEK_FROM_CURRENT_AND_RESTART );
-    if ( aObjData.bChildAnchor )
+    if (aObjData.bChildAnchor && rSt.remainingSize() >= 16)
     {
         sal_Int32 l(0), o(0), r(0), u(0);
         rSt.ReadInt32( l ).ReadInt32( o ).ReadInt32( r ).ReadInt32( u );
diff --git a/sd/qa/unit/data/ppt/fail/hang-19.ppt b/sd/qa/unit/data/ppt/pass/hang-19.ppt
similarity index 100%
rename from sd/qa/unit/data/ppt/fail/hang-19.ppt
rename to sd/qa/unit/data/ppt/pass/hang-19.ppt

More information about the Libreoffice-commits mailing list