diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-07-16 14:53:37 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2015-07-20 11:37:07 +0000 |
| commit | 5a6e55601f0eaae1bf9f006da3f19d1c8282e7db (patch) | |
| tree | 7c1a1c4470e2c4273065774725e93289afb3849d | |
| parent | 5871ac6593871427774271ec36433aafae1086b9 (diff) | |
Resolves: tdf#92772 missing shape bg color
regression from dcad3ac445980740b6a39761cdd1f1bd0b3e6e34
coverity#1242624 Untrusted loop bound
Change-Id: Idf52c09828c2bab767e9ff0d07b61befd6bfc64b
The original code read 8 bytes on the nElemSizeVert == 8
branch and always 4 otherwise. I assumed that nElemSizeVert had
to be read as 4 on that branch, but apparently not. So if its
not 4, set it to 4 and we get the same behaviour as originally
and continue to ensure we bounds check the loop
Change-Id: Ica8ab7cc3bbebee93216766a2e1279a579494840
(cherry picked from commit b3cd47bd562f98ec5fcff1a9d7609353506b5083)
Reviewed-on: https://gerrit.libreoffice.org/17135
Reviewed-by: David Tardon <dtardon@redhat.com>
Tested-by: David Tardon <dtardon@redhat.com>
Reviewed-by: Tomaž Vajngerl <quikee@gmail.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | filter/source/msfilter/msdffimp.cxx | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index 9e88ceb4a361..ba0aae06a853 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -2154,12 +2154,10 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt sal_uInt16 nNumElemMemVert = 0; rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert ); } - bool bImport = false; - if (nElemSizeVert == 8 || nElemSizeVert == 4) - { - //sanity check that the stream is long enough to fulfill nNumElem * nElemSize; - bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert; - } + if (nElemSizeVert != 8) + nElemSizeVert = 4; + //sanity check that the stream is long enough to fulfill nNumElem * nElemSize; + bool bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert; if (bImport) { aCoordinates.realloc( nNumElemVert ); |