coverity#1242704 Untrusted loop bound

Change-Id: Ib2e00c0cd269dc7ae55b206713fe07e5326072f2
author: Caolán McNamara <caolanm@redhat.com> 2014-10-20 09:59:28 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2014-10-20 10:57:15 +0100
commit: d615d83381a0830a815fe2879ce761f1b00b04e9 (patch)
tree: 98429351a525bb476c4275f957261c4e003ed307
parent: 1361dfc0aa835dcb134d5de4bac594519aa16efe (diff)
1 files changed, 52 insertions, 12 deletions
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index 1b95dd412b27..4951b65e12fd 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -328,12 +328,32 @@ void WMFReader::ReadRecordParams( sal_uInt16 nFunc )
 
         case W_META_POLYGON:
         {
-            sal_uInt16 nPoints = 0;
-            pWMF->ReadUInt16( nPoints );
-            Polygon aPoly( nPoints );
-            for( sal_uInt16 i = 0; i < nPoints; i++ )
-                aPoly[ i ] = ReadPoint();
-            pOut->DrawPolygon( aPoly );
+            bool bRecordOk = true;
+
+            sal_uInt16 nPoints(0);
+            pWMF->ReadUInt16(nPoints);
+
+            if (nPoints > pWMF->remainingSize() / (2 * sizeof(sal_uInt16)))
+            {
+                bRecordOk = false;
+            }
+            else
+            {
+                Polygon aPoly(nPoints);
+                for (sal_uInt16 i(0); i < nPoints && pWMF->good(); ++i)
+                    aPoly[ i ] = ReadPoint();
+                pOut->DrawPolygon(aPoly);
+            }
+
+            SAL_WARN_IF(!bRecordOk, "vcl.filter", "polygon record has more points than we can handle");
+
+            bRecordOk &= pWMF->good();
+
+            if (!bRecordOk)
+            {
+                pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                break;
+            }
         }
         break;
 
@@ -403,12 +423,32 @@ void WMFReader::ReadRecordParams( sal_uInt16 nFunc )
 
         case W_META_POLYLINE:
         {
-            sal_uInt16 nPoints = 0;
-            pWMF->ReadUInt16( nPoints );
-            Polygon aPoly( nPoints );
-            for(sal_uInt16 i = 0; i < nPoints; i++ )
-                aPoly[ i ] = ReadPoint();
-            pOut->DrawPolyLine( aPoly );
+            bool bRecordOk = true;
+
+            sal_uInt16 nPoints(0);
+            pWMF->ReadUInt16(nPoints);
+
+            if (nPoints > pWMF->remainingSize() / (2 * sizeof(sal_uInt16)))
+            {
+                bRecordOk = false;
+            }
+            else
+            {
+                Polygon aPoly(nPoints);
+                for (sal_uInt16 i(0); i < nPoints && pWMF->good(); ++i)
+                    aPoly[ i ] = ReadPoint();
+                pOut->DrawPolyLine( aPoly );
+            }
+
+            SAL_WARN_IF(!bRecordOk, "vcl.filter", "polyline record has more points than we can handle");
+
+            bRecordOk &= pWMF->good();
+
+            if (!bRecordOk)
+            {
+                pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                break;
+            }
         }
         break;
author	Caolán McNamara <caolanm@redhat.com>	2014-10-20 09:59:28 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2014-10-20 10:57:15 +0100
commit	d615d83381a0830a815fe2879ce761f1b00b04e9 (patch)
tree	98429351a525bb476c4275f957261c4e003ed307
parent	1361dfc0aa835dcb134d5de4bac594519aa16efe (diff)