summaryrefslogtreecommitdiff
authorRadek Doulik <rodo@novell.com>2008-11-14 15:17:12 (GMT)
committer Radek Doulik <rodo@novell.com>2008-11-14 15:17:12 (GMT)
commit49b4e38571912a7d28c4044e5b2bd57e51c77d55 (patch)
tree6cc4b0d25476ef5f1f1be04ddc78afe9a90ddad4
parentcc225b40e5c163d562d31118c342af2578568a0c (diff)
downloadooo-build-49b4e38571912a7d28c4044e5b2bd57e51c77d55.zip
ooo-build-49b4e38571912a7d28c4044e5b2bd57e51c77d55.tar.gz
ooo-build-49b4e38571912a7d28c4044e5b2bd57e51c77d55.tar.bz2
Added emf+-cppcanvas-input-validation.
* patches/dev300/apply: added emf+-cppcanvas-input-validation.diff from Thorsten, with small changes from me. Fixes crash in cppcanvas/source/mtfrenderer/emfplus.cxx * patches/dev300/wmf-pattern-brush.diff: Update to fix crash in svtools/source/filter.vcl/wmf/enhwmf.cxx
Diffstat
-rw-r--r--patches/dev300/apply1
-rw-r--r--patches/dev300/wmf-pattern-brush.diff41
-rw-r--r--patches/emf+/emf+-cppcanvas-input-validation.diff107
3 files changed, 131 insertions, 18 deletions
diff --git a/patches/dev300/apply b/patches/dev300/apply
index c4c2b4b..e3f077a 100644
--- a/patches/dev300/apply
+++ b/patches/dev300/apply
@@ -2421,6 +2421,7 @@ emf+-multipart-objects.diff, rodo
emf+-use-canvas-only-for-emf+.diff, rodo
emf+-embedded-mf-image.diff, rodo
vcl-pluggable-mtf-renderer.diff, thorsten
+emf+-cppcanvas-input-validation.diff, thorsten
[ LinkWarningDlg ]
linkwarn-dlg-in-apps.diff, n#348149, thorsten
diff --git a/patches/dev300/wmf-pattern-brush.diff b/patches/dev300/wmf-pattern-brush.diff
index 0f08cfd..dd299ae 100644
--- a/patches/dev300/wmf-pattern-brush.diff
+++ b/patches/dev300/wmf-pattern-brush.diff
@@ -23,7 +23,7 @@ diff -rup svtools-clean/source/filter.vcl/wmf/enhwmf.cxx svtools/source/filter.v
}
}
break;
-@@ -1152,6 +1153,49 @@ BOOL EnhWMFReader::ReadEnhWMF()
+@@ -1152,6 +1153,54 @@ BOOL EnhWMFReader::ReadEnhWMF()
}
break;
@@ -45,27 +45,32 @@ diff -rup svtools-clean/source/filter.vcl/wmf/enhwmf.cxx svtools/source/filter.v
+ *pWMF >> offBits;
+ *pWMF >> cbBits;
+
-+ if ( offBmi )
++ if ( (cbBits > (SAL_MAX_UINT32 - 14)) || ((SAL_MAX_UINT32 - 14) - cbBits < cbBmi) )
++ bStatus = FALSE;
++ else if ( offBmi )
+ {
+ UINT32 nSize = cbBmi + cbBits + 14;
-+ char* pBuf = new char[ nSize ];
++ if ( nSize <= ( nEndPos - nStartPos ) )
++ {
++ char* pBuf = new char[ nSize ];
+
-+ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
-+ aTmp.ObjectOwnsMemory( TRUE );
-+ aTmp << (BYTE)'B'
-+ << (BYTE)'M'
-+ << (UINT32)cbBits
-+ << (UINT16)0
-+ << (UINT16)0
-+ << (UINT32)cbBmi + 14;
-+ pWMF->Seek( nStart + offBmi );
-+ pWMF->Read( pBuf + 14, cbBmi );
-+ pWMF->Seek( nStart + offBits );
-+ pWMF->Read( pBuf + 14 + cbBmi, cbBits );
-+ aTmp.Seek( 0 );
-+ aBitmap.Read( aTmp, TRUE );
++ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
++ aTmp.ObjectOwnsMemory( TRUE );
++ aTmp << (BYTE)'B'
++ << (BYTE)'M'
++ << (UINT32)cbBits
++ << (UINT16)0
++ << (UINT16)0
++ << (UINT32)cbBmi + 14;
++ pWMF->Seek( nStart + offBmi );
++ pWMF->Read( pBuf + 14, cbBmi );
++ pWMF->Seek( nStart + offBits );
++ pWMF->Read( pBuf + 14 + cbBmi, cbBits );
++ aTmp.Seek( 0 );
++ aBitmap.Read( aTmp, TRUE );
++ }
+ }
-+ }
++ }
+
+ pOut->CreateObject( nIndex, GDI_BRUSH, new WinMtfFillStyle( aBitmap ) );
+ }
diff --git a/patches/emf+/emf+-cppcanvas-input-validation.diff b/patches/emf+/emf+-cppcanvas-input-validation.diff
new file mode 100644
index 0000000..6d9ca41
--- a/dev/null
+++ b/patches/emf+/emf+-cppcanvas-input-validation.diff
@@ -0,0 +1,107 @@
+--- cppcanvas/source/mtfrenderer/emfplus.cxx.bak 2008-10-22 18:32:48.000000000 +0200
++++ cppcanvas/source/mtfrenderer/emfplus.cxx 2008-10-22 18:58:35.000000000 +0200
+@@ -96,6 +96,8 @@
+ public:
+ EMFPPath (sal_Int32 _nPoints, bool bLines = false)
+ {
++ if( _nPoints<0 || _nPoints>SAL_MAX_INT32/(2*sizeof(float)) )
++ _nPoints = SAL_MAX_INT32/(2*sizeof(float));
+ nPoints = _nPoints;
+ pPoints = new float [nPoints*2];
+ if (!bLines)
+@@ -238,6 +240,9 @@
+ EMFP_DEBUG (printf ("EMF+\theader: 0x%08x parts: %d\n", header, parts));
+
+ if (parts) {
++ if( parts<0 || parts>SAL_MAX_INT32/sizeof(sal_Int32) )
++ parts = SAL_MAX_INT32/sizeof(sal_Int32);
++
+ combineMode = new sal_Int32 [parts];
+
+ for (int i = 0; i < parts; i ++) {
+@@ -349,6 +354,9 @@
+ s >> surroundColorsNumber;
+ EMFP_DEBUG (printf ("EMF+\tsurround colors: %d\n", surroundColorsNumber));
+
++ if( surroundColorsNumber<0 || surroundColorsNumber>SAL_MAX_INT32/sizeof(::Color) )
++ surroundColorsNumber = SAL_MAX_INT32/sizeof(::Color);
++
+ surroundColors = new ::Color [surroundColorsNumber];
+ for (int i = 0; i < surroundColorsNumber; i++) {
+ s >> color;
+@@ -398,6 +406,8 @@
+ if (additionalFlags & 0x08) {
+ s >> blendPoints;
+ EMFP_DEBUG (printf ("EMF+\tuse blend, points: %d\n", blendPoints));
++ if( blendPoints<0 || blendPoints>SAL_MAX_INT32/(2*sizeof(float)) )
++ blendPoints = SAL_MAX_INT32/(2*sizeof(float));
+ blendPositions = new float [2*blendPoints];
+ blendFactors = blendPositions + blendPoints;
+ for (int i=0; i < blendPoints; i ++) {
+@@ -413,6 +423,10 @@
+ if (additionalFlags & 0x04) {
+ s >> colorblendPoints;
+ EMFP_DEBUG (printf ("EMF+\tuse color blend, points: %d\n", colorblendPoints));
++ if( colorblendPoints<0 || colorblendPoints>SAL_MAX_INT32/sizeof(float) )
++ colorblendPoints = SAL_MAX_INT32/sizeof(float);
++ if( colorblendPoints>SAL_MAX_INT32/sizeof(::Color) )
++ colorblendPoints = SAL_MAX_INT32/sizeof(::Color);
+ colorblendPositions = new float [colorblendPoints];
+ colorblendColors = new ::Color [colorblendPoints];
+ for (int i=0; i < colorblendPoints; i ++) {
+@@ -467,6 +481,8 @@
+ if (additionalFlags & 0x08) {
+ s >> blendPoints;
+ EMFP_DEBUG (printf ("EMF+\tuse blend, points: %d\n", blendPoints));
++ if( blendPoints<0 || blendPoints>SAL_MAX_INT32/(2*sizeof(float)) )
++ blendPoints = SAL_MAX_INT32/(2*sizeof(float));
+ blendPositions = new float [2*blendPoints];
+ blendFactors = blendPositions + blendPoints;
+ for (int i=0; i < blendPoints; i ++) {
+@@ -482,6 +498,10 @@
+ if (additionalFlags & 0x04) {
+ s >> colorblendPoints;
+ EMFP_DEBUG (printf ("EMF+\tuse color blend, points: %d\n", colorblendPoints));
++ if( colorblendPoints<0 || colorblendPoints>SAL_MAX_INT32/sizeof(float) )
++ colorblendPoints = SAL_MAX_INT32/sizeof(float);
++ if( colorblendPoints>SAL_MAX_INT32/sizeof(::Color) )
++ colorblendPoints = SAL_MAX_INT32/sizeof(::Color);
+ colorblendPositions = new float [colorblendPoints];
+ colorblendColors = new ::Color [colorblendPoints];
+ for (int i=0; i < colorblendPoints; i ++) {
+@@ -583,6 +603,8 @@
+
+ if (penFlags & 256) {
+ s >> dashPatternLen;
++ if( dashPatternLen<0 || dashPatternLen>SAL_MAX_INT32/sizeof(float) )
++ dashPatternLen = SAL_MAX_INT32/sizeof(float);
+ dashPattern = new float [dashPatternLen];
+ for (i = 0; i < dashPatternLen; i++)
+ s >> dashPattern [i];
+@@ -596,6 +618,8 @@
+
+ if (penFlags & 1024) {
+ s >> compoundArrayLen;
++ if( compoundArrayLen<0 || compoundArrayLen>SAL_MAX_INT32/sizeof(float) )
++ compoundArrayLen = SAL_MAX_INT32/sizeof(float);
+ compoundArray = new float [compoundArrayLen];
+ for (i = 0; i < compoundArrayLen; i++)
+ s >> compoundArray [i];
+@@ -604,6 +628,8 @@
+
+ if (penFlags & 2048) {
+ s >> customStartCapLen;
++ if( customStartCapLen<0 )
++ customStartCapLen=0;
+ customStartCap = new sal_uInt8 [customStartCapLen];
+ for (i = 0; i < customStartCapLen; i++)
+ s >> customStartCap [i];
+@@ -612,6 +638,8 @@
+
+ if (penFlags & 4096) {
+ s >> customEndCapLen;
++ if( customEndCapLen<0 )
++ customEndCapLen=0;
+ customEndCap = new sal_uInt8 [customEndCapLen];
+ for (i = 0; i < customEndCapLen; i++)
+ s >> customEndCap [i];
generated by cgit v0.8.3-6-g21f6 at 2010-02-08 23:46:27 (GMT)