diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-10-17 16:13:32 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-10-18 10:45:29 +0100 |
| commit | 11a514e06bf38c70f2364c8535782aa3f33d6206 (patch) | |
| tree | aa5798e63518f161fb4db3cb80c303955f24dac9 | |
| parent | 5e2d089f763963e6ce7d3d183bd1bf7932aeaaaf (diff) | |
coverity#1242573 Untrusted loop bound
Change-Id: Ic84e57fbfa2b532409865c4364b91be594d252cf
| -rw-r--r-- | vcl/source/filter/wmf/winwmf.cxx | 70 |
1 files changed, 58 insertions, 12 deletions
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx index 96d69cf958fe..1b95dd412b27 100644 --- a/vcl/source/filter/wmf/winwmf.cxx +++ b/vcl/source/filter/wmf/winwmf.cxx @@ -1462,12 +1462,31 @@ bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pStm ) case W_META_POLYGON: { - sal_uInt16 nPoints; + bool bRecordOk = true; + + sal_uInt16 nPoints(0); pStm->ReadUInt16( nPoints ); - for(sal_uInt16 i = 0; i < nPoints; i++ ) + + if (nPoints > pStm->remainingSize() / (2 * sizeof(sal_uInt16))) { - GetWinExtMax( ReadPoint(), aBound, nMapMode ); - bBoundsDetermined = true; + bRecordOk = false; + } + else + { + for(sal_uInt16 i = 0; i < nPoints; i++ ) + { + GetWinExtMax( ReadPoint(), aBound, nMapMode ); + bBoundsDetermined = true; + } + } + + SAL_WARN_IF(!bRecordOk, "vcl.wmf", "polyline record claimed more points than the stream can provide"); + + if (!bRecordOk) + { + pStm->SetError( SVSTREAM_FILEFORMAT_ERROR ); + bRet = false; + break; } } break; @@ -1507,12 +1526,21 @@ bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pStm ) break; } - for (sal_uInt16 i = 0; i < nPoints; i++ ) + if (nPoints > pStm->remainingSize() / (2 * sizeof(sal_uInt16))) { - GetWinExtMax( ReadPoint(), aBound, nMapMode ); - bBoundsDetermined = true; + bRecordOk = false; + } + else + { + for (sal_uInt16 i = 0; i < nPoints; i++ ) + { + GetWinExtMax( ReadPoint(), aBound, nMapMode ); + bBoundsDetermined = true; + } } + SAL_WARN_IF(!bRecordOk, "vcl.wmf", "polypolygon record claimed more points than the stream can provide"); + bRecordOk &= pStm->good(); if (!bRecordOk) @@ -1526,12 +1554,30 @@ bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pStm ) case W_META_POLYLINE: { - sal_uInt16 nPoints; - pStm->ReadUInt16( nPoints ); - for(sal_uInt16 i = 0; i < nPoints; i++ ) + bool bRecordOk = true; + + sal_uInt16 nPoints(0); + pStm->ReadUInt16(nPoints); + if (nPoints > pStm->remainingSize() / (2 * sizeof(sal_uInt16))) { - GetWinExtMax( ReadPoint(), aBound, nMapMode ); - bBoundsDetermined = true; + bRecordOk = false; + } + else + { + for (sal_uInt16 i = 0; i < nPoints; ++i) + { + GetWinExtMax( ReadPoint(), aBound, nMapMode ); + bBoundsDetermined = true; + } + } + + SAL_WARN_IF(!bRecordOk, "vcl.wmf", "polyline record claimed more points than the stream can provide"); + + if (!bRecordOk) + { + pStm->SetError( SVSTREAM_FILEFORMAT_ERROR ); + bRet = false; + break; } } break; |