diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-01-26 16:01:57 +0000 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2017-02-01 13:30:57 +0000 |
| commit | 2606607d6df99b2b3068a781d4abded7c5492917 (patch) | |
| tree | 264a281b04967351a83c9ffd1eecd2ec717bb337 /filter | |
| parent | 48168ced891de8e4eca6fd1eb490c452534fccd2 (diff) | |
ofz: tidy up eps preview import
a) check that the remaining stream length is >= the 14 bytes that are
unconditionally skipped
b) make the initial security count the min of the arbitrary 100 and the
remaining stream len less that 14 bytes
c) tweak ImplGetNumber not to reduce nSecurityCount if its already 0
Change-Id: Ifffa6d02d492affd578fb48007704457ad635b39
(cherry picked from commit 94ffb720b889c51665ebb789d84aee3b3bacb456)
ofz: check eps seeks are sane and succeeded
Change-Id: I0eb45e1c1ffd91682ed0ce6a6a74eab54666d715
(cherry picked from commit f85fb724d52a0fff9c64365cd202ae8975492c05)
ofz: check if the stream is able to meet the eps len claim before reading
Change-Id: I65407bffb67449e203b8ead23554a4e88387d214
(cherry picked from commit e17a34e957c21a8cd2977b1b0e1c9a427c244aed)
ofz: check if the stream is able to meet the eps len claim before reading
Change-Id: I440c7f38d6588c570a411f2a97c0164e5d7d646f
(cherry picked from commit d1f31681623696e99b0bd9e98570cb1ebac518cc)
make this a little more readable
Change-Id: I83b6b0bd636b639ce0892f22f216410ce79dee03
(cherry picked from commit cf06348d9d4be8b8460d202cebf0d995fd4f6abf)
move deref inside (laughable) nSecurityCount check
Change-Id: Idf9a83ffa80137967d8c77d7a9b5133529fc2858
(cherry picked from commit 521723b1180a32c02a88ed47137d4242c06eaca7)
Reviewed-on: https://gerrit.libreoffice.org/33634
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Diffstat (limited to 'filter')
| -rw-r--r-- | filter/source/graphicfilter/ieps/ieps.cxx | 78 |
1 files changed, 46 insertions, 32 deletions
diff --git a/filter/source/graphicfilter/ieps/ieps.cxx b/filter/source/graphicfilter/ieps/ieps.cxx index f50f9968cab0..33a4ac9fa71d 100644 --- a/filter/source/graphicfilter/ieps/ieps.cxx +++ b/filter/source/graphicfilter/ieps/ieps.cxx @@ -69,17 +69,19 @@ static sal_uInt8* ImplSearchEntry( sal_uInt8* pSource, sal_uInt8 const * pDest, // SecurityCount is the buffersize of the buffer in which we will parse for a number -static long ImplGetNumber( sal_uInt8 **pBuf, sal_uInt32& nSecurityCount ) +static long ImplGetNumber(sal_uInt8* &rBuf, sal_uInt32& nSecurityCount) { bool bValid = true; bool bNegative = false; long nRetValue = 0; - while ( ( --nSecurityCount ) && ( ( **pBuf == ' ' ) || ( **pBuf == 0x9 ) ) ) - (*pBuf)++; - sal_uInt8 nByte = **pBuf; - while ( nSecurityCount && ( nByte != ' ' ) && ( nByte != 0x9 ) && ( nByte != 0xd ) && ( nByte != 0xa ) ) + while (nSecurityCount && (*rBuf == ' ' || *rBuf == 0x9)) { - switch ( nByte ) + ++rBuf; + --nSecurityCount; + } + while ( nSecurityCount && ( *rBuf != ' ' ) && ( *rBuf != 0x9 ) && ( *rBuf != 0xd ) && ( *rBuf != 0xa ) ) + { + switch ( *rBuf ) { case '.' : // we'll only use the integer format @@ -89,17 +91,17 @@ static long ImplGetNumber( sal_uInt8 **pBuf, sal_uInt32& nSecurityCount ) bNegative = true; break; default : - if ( ( nByte < '0' ) || ( nByte > '9' ) ) + if ( ( *rBuf < '0' ) || ( *rBuf > '9' ) ) nSecurityCount = 1; // error parsing the bounding box values else if ( bValid ) { nRetValue *= 10; - nRetValue += nByte - '0'; + nRetValue += *rBuf - '0'; } break; } nSecurityCount--; - nByte = *(++(*pBuf)); + ++rBuf; } if ( bNegative ) nRetValue = -nRetValue; @@ -399,6 +401,15 @@ static bool RenderAsBMP(const sal_uInt8* pBuf, sal_uInt32 nBytesRead, Graphic &r return RenderAsBMPThroughConvert(pBuf, nBytesRead, rGraphic); } +namespace +{ + bool checkSeek(SvStream &rSt, sal_uInt32 nOffset) + { + const sal_uInt64 nMaxSeek(rSt.Tell() + rSt.remainingSize()); + return (nOffset <= nMaxSeek && rSt.Seek(nOffset) == nOffset); + } +} + // this method adds a replacement action containing the original wmf or tiff replacement, // so the original eps can be written when storing to ODF. void CreateMtfReplacementAction( GDIMetaFile& rMtf, SvStream& rStrm, sal_uInt32 nOrigPos, sal_uInt32 nPSSize, @@ -416,17 +427,15 @@ void CreateMtfReplacementAction( GDIMetaFile& rMtf, SvStream& rStrm, sal_uInt32 aReplacement.WriteUInt32( nMagic ).WriteUInt32( nPPos ).WriteUInt32( nPSSize ) .WriteUInt32( nWPos ).WriteUInt32( nSizeWMF ) .WriteUInt32( nTPos ).WriteUInt32( nSizeTIFF ); - if ( nSizeWMF ) + if (nSizeWMF && checkSeek(rStrm, nOrigPos + nPosWMF) && rStrm.remainingSize() >= nSizeWMF) { std::unique_ptr<sal_uInt8[]> pBuf(new sal_uInt8[ nSizeWMF ]); - rStrm.Seek( nOrigPos + nPosWMF ); rStrm.ReadBytes(pBuf.get(), nSizeWMF); aReplacement.WriteBytes(pBuf.get(), nSizeWMF); } - if ( nSizeTIFF ) + if (nSizeTIFF && checkSeek(rStrm, nOrigPos + nPosTIFF) && rStrm.remainingSize() >= nSizeTIFF) { std::unique_ptr<sal_uInt8[]> pBuf(new sal_uInt8[ nSizeTIFF ]); - rStrm.Seek( nOrigPos + nPosTIFF ); rStrm.ReadBytes(pBuf.get(), nSizeTIFF); aReplacement.WriteBytes(pBuf.get(), nSizeTIFF); } @@ -504,7 +513,7 @@ void MakePreview(sal_uInt8* pBuf, sal_uInt32 nBytesRead, { pDest += 16; sal_uInt32 nCount = 4; - long nNumber = ImplGetNumber( &pDest, nCount ); + long nNumber = ImplGetNumber(pDest, nCount); if ( nCount && ( (sal_uInt32)nNumber < 10 ) ) { aString += " LanguageLevel:" + OUString::number( nNumber ); @@ -519,7 +528,6 @@ void MakePreview(sal_uInt8* pBuf, sal_uInt32 nBytesRead, rGraphic = aMtf; } - //================== GraphicImport - the exported function ================ @@ -532,7 +540,7 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) Graphic aGraphic; bool bRetValue = false; bool bHasPreview = false; - sal_uInt32 nSignature, nPSStreamPos, nPSSize; + sal_uInt32 nSignature = 0, nPSStreamPos, nPSSize = 0; sal_uInt32 nSizeWMF = 0; sal_uInt32 nPosWMF = 0; sal_uInt32 nSizeTIFF = 0; @@ -549,10 +557,9 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) if ( nSizeWMF ) { - if ( nPosWMF != 0 ) + if (nPosWMF && checkSeek(rStream, nOrigPos + nPosWMF)) { - rStream.Seek( nOrigPos + nPosWMF ); - if ( GraphicConverter::Import( rStream, aGraphic, ConvertDataFormat::WMF ) == ERRCODE_NONE ) + if (GraphicConverter::Import(rStream, aGraphic, ConvertDataFormat::WMF) == ERRCODE_NONE) bHasPreview = bRetValue = true; } } @@ -562,9 +569,8 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) // else we have to get the tiff grafix - if ( nPosTIFF && nSizeTIFF ) + if (nPosTIFF && nSizeTIFF && checkSeek(rStream, nOrigPos + nPosTIFF)) { - rStream.Seek( nOrigPos + nPosTIFF ); if ( GraphicConverter::Import( rStream, aGraphic, ConvertDataFormat::TIF ) == ERRCODE_NONE ) { MakeAsMeta(aGraphic); @@ -579,13 +585,20 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) nPSStreamPos = nOrigPos; // no preview available _>so we must get the size manually nPSSize = rStream.Seek( STREAM_SEEK_TO_END ) - nOrigPos; } + std::unique_ptr<sal_uInt8[]> pHeader( new sal_uInt8[ 22 ] ); rStream.Seek( nPSStreamPos ); rStream.ReadBytes(pHeader.get(), 22); // check PostScript header - if ( ImplSearchEntry( pHeader.get(), reinterpret_cast<sal_uInt8 const *>("%!PS-Adobe"), 10, 10 ) && - ImplSearchEntry( &pHeader[ 15 ], reinterpret_cast<sal_uInt8 const *>("EPS"), 3, 3 ) ) + bool bOk = ImplSearchEntry(pHeader.get(), reinterpret_cast<sal_uInt8 const *>("%!PS-Adobe"), 10, 10) && + ImplSearchEntry(&pHeader[ 15 ], reinterpret_cast<sal_uInt8 const *>("EPS"), 3, 3); + if (bOk) + { + rStream.Seek(nPSStreamPos); + bOk = rStream.remainingSize() >= nPSSize; + SAL_WARN_IF(!bOk, "filter.eps", "eps claims to be: " << nPSSize << " in size, but only " << rStream.remainingSize() << " remains"); + } + if (bOk) { - rStream.Seek( nPSStreamPos ); std::unique_ptr<sal_uInt8[]> pBuf( new sal_uInt8[ nPSSize ] ); sal_uInt32 nBufStartPos = rStream.Tell(); @@ -601,10 +614,10 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) if ( pDest ) { pDest += 15; - long nWidth = ImplGetNumber( &pDest, nSecurityCount ); - long nHeight = ImplGetNumber( &pDest, nSecurityCount ); - long nBitDepth = ImplGetNumber( &pDest, nSecurityCount ); - long nScanLines = ImplGetNumber( &pDest, nSecurityCount ); + long nWidth = ImplGetNumber(pDest, nSecurityCount); + long nHeight = ImplGetNumber(pDest, nSecurityCount); + long nBitDepth = ImplGetNumber(pDest, nSecurityCount); + long nScanLines = ImplGetNumber(pDest, nSecurityCount); pDest = ImplSearchEntry( pDest, reinterpret_cast<sal_uInt8 const *>("%"), 16, 1 ); // go to the first Scanline if ( nSecurityCount && pDest && nWidth && nHeight && ( ( nBitDepth == 1 ) || ( nBitDepth == 8 ) ) && nScanLines ) { @@ -698,15 +711,16 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) } sal_uInt8* pDest = ImplSearchEntry( pBuf.get(), reinterpret_cast<sal_uInt8 const *>("%%BoundingBox:"), nBytesRead, 14 ); - if ( pDest ) + sal_uInt32 nRemainingBytes = pDest ? (nBytesRead - (pDest - pBuf.get())) : 0; + if (nRemainingBytes >= 14) { - nSecurityCount = 100; + pDest += 14; + nSecurityCount = std::min<sal_uInt32>(nRemainingBytes - 14, 100); long nNumb[4]; nNumb[0] = nNumb[1] = nNumb[2] = nNumb[3] = 0; - pDest += 14; for ( int i = 0; ( i < 4 ) && nSecurityCount; i++ ) { - nNumb[ i ] = ImplGetNumber( &pDest, nSecurityCount ); + nNumb[ i ] = ImplGetNumber(pDest, nSecurityCount); } if ( nSecurityCount) { |