[Libreoffice-commits] core.git: vcl/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Wed Jul 14 20:39:23 UTC 2021 

 vcl/source/filter/svm/SvmReader.cxx |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

New commits:
commit 9e2b0a7399bb53cba9ae4cdb3b0e2cbbe04d602d
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Wed Jul 14 20:25:06 2021 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Wed Jul 14 22:38:42 2021 +0200

    cid#1487034 Untrusted value as argument
    
    Change-Id: I2c0edac58b92b9d828c62ff3b8859f23ed1d3c85
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118954
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/vcl/source/filter/svm/SvmReader.cxx b/vcl/source/filter/svm/SvmReader.cxx
index 56197443757d..f8336068a0ac 100644
--- a/vcl/source/filter/svm/SvmReader.cxx
+++ b/vcl/source/filter/svm/SvmReader.cxx
@@ -663,6 +663,13 @@ rtl::Reference<MetaAction> SvmReader::TextHandler(ImplMetaReadData* pData)
     if (aCompat.GetVersion() >= 2) // Version 2
         aStr = read_uInt16_lenPrefixed_uInt16s_ToOUString(mrStream);
 
+    if (nTmpIndex + nTmpLen > aStr.getLength())
+    {
+        SAL_WARN("vcl.gdi", "inconsistent offset and len");
+        pAction->SetIndex(0);
+        pAction->SetLen(aStr.getLength());
+    }
+
     pAction->SetText(aStr);
 
     return pAction;
@@ -696,8 +703,9 @@ rtl::Reference<MetaAction> SvmReader::TextArrayHandler(ImplMetaReadData* pData)
     sal_Int32 nAryLen(0);
     mrStream.ReadInt32(nAryLen);
 
-    if (nTmpLen > aStr.getLength() - nTmpIndex)
+    if (nTmpIndex + nTmpLen > aStr.getLength())
     {
+        SAL_WARN("vcl.gdi", "inconsistent offset and len");
         pAction->SetIndex(0);
         pAction->SetLen(aStr.getLength());
         return pAction;
@@ -735,6 +743,7 @@ rtl::Reference<MetaAction> SvmReader::TextArrayHandler(ImplMetaReadData* pData)
 
         if (nTmpIndex + nTmpLen > aStr.getLength())
         {
+            SAL_WARN("vcl.gdi", "inconsistent offset and len");
             pAction->SetIndex(0);
             pAction->SetLen(aStr.getLength());
             aArray.reset();

More information about the Libreoffice-commits mailing list