don't hang with 0 len causing no progression

Change-Id: Ie553dab291c7bfbde033d89b84159aff6b42a160
(cherry picked from commit 15dfcb7f461893f83abcf28bfe01a4164209a160)
Reviewed-on: https://gerrit.libreoffice.org/17086
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Michael Meeks <michael.meeks@collabora.com>

2 files changed, 9 insertions, 3 deletions

diff --git a/filter/qa/cppunit/data/met/fail/hang-1.met b/filter/qa/cppunit/data/met/fail/hang-1.met
new file mode 100644
index 000000000000..c1a095d3fad5
--- /dev/null
+++ b/filter/qa/cppunit/data/met/fail/hang-1.met
diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx
index 6b38be429195..1b7700bb40c4 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -2257,7 +2257,6 @@ void OS2METReader::ReadImageData(sal_uInt16 nDataID, sal_uInt16 nDataLen)
 void OS2METReader::ReadFont(sal_uInt16 nFieldSize)
 {
     sal_uLong nPos, nMaxPos;
-    sal_uInt16 nLen;
     sal_uInt8 nByte, nTripType, nTripType2;
     OSFont * pF=new OSFont;
     pF->pSucc=pFontList; pFontList=pF;
@@ -2269,7 +2268,13 @@ void OS2METReader::ReadFont(sal_uInt16 nFieldSize)
     nMaxPos=nPos+(sal_uLong)nFieldSize;
     pOS2MET->SeekRel(2); nPos+=2;
     while (nPos<nMaxPos && pOS2MET->GetError()==0) {
-        pOS2MET->ReadUChar( nByte ); nLen =((sal_uInt16)nByte) & 0x00ff;
+        pOS2MET->ReadUChar( nByte );
+        sal_uInt16 nLen = ((sal_uInt16)nByte) & 0x00ff;
+        if (nLen == 0)
+        {
+            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+            ErrorCode=4;
+        }
         pOS2MET->ReadUChar( nTripType );
         switch (nTripType) {
             case 0x02:
@@ -2321,7 +2326,8 @@ void OS2METReader::ReadFont(sal_uInt16 nFieldSize)
                 break;
             }
         }
-        nPos+=nLen; pOS2MET->Seek(nPos);
+        nPos+=nLen;
+        pOS2MET->Seek(nPos);
     }
 }