check for legal field sizes before reading

Change-Id: I3cdb647e1a057be5bb4b32d119ee5bcbbedf7473

2 files changed, 19 insertions, 6 deletions

diff --git a/filter/qa/cppunit/data/met/fail/hang-2.met b/filter/qa/cppunit/data/met/fail/hang-2.met
new file mode 100644
index 000000000000..e807d584e372
--- /dev/null
+++ b/filter/qa/cppunit/data/met/fail/hang-2.met
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 5ab71b9ce375..bbf2728ba8ee 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -2660,21 +2660,34 @@ void OS2METReader::ReadOS2MET( SvStream & rStreamOS2MET, GDIMetaFile & rGDIMetaF
         pOS2MET->ReadUInt16(nFieldType);
 
         pOS2MET->SeekRel(3);
-        nPos+=8; nFieldSize-=8;
 
-        if (pOS2MET->GetError()) break;
-        if (pOS2MET->IsEof()) {
+        if (pOS2MET->GetError())
+            break;
+
+        if (nFieldType==EndDocumnMagic)
+            break;
+
+        if (pOS2MET->IsEof() || nFieldSize < 8)
+        {
             pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
             ErrorCode=8;
             break;
         }
 
-        if (nFieldType==EndDocumnMagic) break;
+        nPos+=8; nFieldSize-=8;
+
+        if (nFieldSize > pOS2MET->remainingSize())
+        {
+            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+            ErrorCode=8;
+            break;
+        }
 
         ReadField(nFieldType, nFieldSize);
+        nPos += nFieldSize;
 
-        nPos+=(sal_uLong)nFieldSize;
-        if (pOS2MET->Tell()>nPos)  {
+        if (pOS2MET->Tell() > nPos)
+        {
             pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
             ErrorCode=9;
             break;