CWS-TOOLING: integrate CWS sjfixes06_DEV300

author: Rüdiger Timm <rt@openoffice.org> 2008-09-29 07:47:53 +0000
committer: Rüdiger Timm <rt@openoffice.org> 2008-09-29 07:47:53 +0000
commit: fdcb2f45c731115e646afb08dc1ebc44c6d71dc9 (patch)
tree: 076e11443235c620775a2e4b718abaa7ab46c5bf
parent: 610d8ae463810f029bf72fc9186e2fb0b9ee87fe (diff)
1 files changed, 20 insertions, 2 deletions
diff --git a/svtools/source/filter.vcl/wmf/winwmf.cxx b/svtools/source/filter.vcl/wmf/winwmf.cxx
index bfb848b0d52e..9bc34210e780 100644
--- a/svtools/source/filter.vcl/wmf/winwmf.cxx
+++ b/svtools/source/filter.vcl/wmf/winwmf.cxx
@@ -816,6 +816,16 @@ void WMFReader::ReadRecordParams( USHORT nFunc )
 
         case W_META_ESCAPE :
         {
+            // nRecSize has been checked previously to be greater than 3
+            sal_uInt64 nMetaRecSize = static_cast< sal_uInt64 >( nRecSize - 2 ) * 2;
+            sal_uInt64 nMetaRecEndPos = pWMF->Tell() + nMetaRecSize;
+
+            // taking care that nRecSize does not exceed the maximal stream position
+            if ( nMetaRecEndPos > nEndPos )
+            {
+                pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                break;
+            }
             if ( nRecSize >= 12 )   // minimal escape lenght
             {
                 sal_uInt16  nMode, nLen, OO;
@@ -838,7 +848,13 @@ void WMFReader::ReadRecordParams( USHORT nFunc )
                         sal_uInt32 nCheckSum = rtl_crc32( 0, &nEsc, 4 );
 #endif
                         sal_Int8* pData = NULL;
-                        if ( nEscLen )
+
+                        if ( ( static_cast< sal_uInt64 >( nEscLen ) + pWMF->Tell() ) > nMetaRecEndPos )
+                        {
+                            pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                            break;
+                        }
+                        if ( nEscLen > 0 )
                         {
                             pData = new sal_Int8[ nEscLen ];
                             pWMF->Read( pData, nEscLen );
@@ -863,12 +879,14 @@ void WMFReader::ReadRecordParams( USHORT nFunc )
                                                       >> aPt.Y()
                                                       >> nStringLen;
 
-                                        if (nStringLen < STRING_MAXLEN)
+                                        if ( ( static_cast< sal_uInt64 >( nStringLen ) * sizeof( sal_Unicode ) ) < ( nEscLen - aMemoryStream.Tell() ) )
                                         {
                                             sal_Unicode* pBuf = aString.AllocBuffer( (xub_StrLen)nStringLen );
                                             for ( i = 0; i < nStringLen; i++ )
                                                 aMemoryStream >> pBuf[ i ];
                                             aMemoryStream >> nDXCount;
+                                            if ( ( static_cast< sal_uInt64 >( nDXCount ) * sizeof( sal_Int32 ) ) >= ( nEscLen - aMemoryStream.Tell() ) )
+                                                nDXCount = 0;
                                             if ( nDXCount )
                                                 pDXAry = new sal_Int32[ nDXCount ];
                                             for  ( i = 0; i < nDXCount; i++ )
author	Rüdiger Timm <rt@openoffice.org>	2008-09-29 07:47:53 +0000
committer	Rüdiger Timm <rt@openoffice.org>	2008-09-29 07:47:53 +0000
commit	fdcb2f45c731115e646afb08dc1ebc44c6d71dc9 (patch)
tree	076e11443235c620775a2e4b718abaa7ab46c5bf
parent	610d8ae463810f029bf72fc9186e2fb0b9ee87fe (diff)