ofz#414 crash in DXFHatchEntity::EvaluateGroup

(cherry picked from commit 5434d51d12611eb2726ce1394eb01921d008fa89)

ofz#415 crash in DXFVector::DXFVector

(cherry picked from commit 2a9b4363ca190f1d783d540e95a031357f852858)

Change-Id: I15c8cb7aeb8c45f32357afd0ea2f550ffe11dbf7
Reviewed-on: https://gerrit.libreoffice.org/33235
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <mstahl@redhat.com>

3 files changed, 17 insertions, 3 deletions

diff --git a/filter/source/graphicfilter/idxf/dxfentrd.cxx b/filter/source/graphicfilter/idxf/dxfentrd.cxx
index 85508ac2d1cc..d4f7e30e6d08 100644
--- a/filter/source/graphicfilter/idxf/dxfentrd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfentrd.cxx
@@ -422,8 +422,11 @@ void DXFLWPolyLineEntity::EvaluateGroup( DXFGroupReader & rDGR )
         case 90 :
         {
             nCount = rDGR.GetI();
-            if ( nCount )
+            // limit alloc to max reasonable size based on remaining data in stream
+            if (nCount > 0 && static_cast<sal_uInt32>(nCount) <= rDGR.remainingSize())
                 pP = new DXFVector[ nCount ];
+            else
+                nCount = 0;
         }
         break;
         case 70: nFlags = rDGR.GetI(); break;
@@ -600,8 +603,11 @@ bool DXFBoundaryPathData::EvaluateGroup( DXFGroupReader & rDGR )
             case 93 :
             {
                 nPointCount = rDGR.GetI();
-                if ( nPointCount )
+                // limit alloc to max reasonable size based on remaining data in stream
+                if (nPointCount > 0 && static_cast<sal_uInt32>(nPointCount) <= rDGR.remainingSize())
                     pP = new DXFVector[ nPointCount ];
+                else
+                    nPointCount = 0;
             }
             break;
             case 72 : nHasBulgeFlag = rDGR.GetI(); break;
@@ -679,8 +685,11 @@ void DXFHatchEntity::EvaluateGroup( DXFGroupReader & rDGR )
         {
             bIsInBoundaryPathContext = true;
             nBoundaryPathCount = rDGR.GetI();
-            if ( nBoundaryPathCount )
+            // limit alloc to max reasonable size based on remaining data in stream
+            if (nBoundaryPathCount > 0 && static_cast<sal_uInt32>(nBoundaryPathCount) <= rDGR.remainingSize())
                 pBoundaryPathData = new DXFBoundaryPathData[ nBoundaryPathCount ];
+            else
+                nBoundaryPathCount = 0;
         }
         break;
         case 75 :
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.cxx b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
index ac1ca2d994fc..f4669fd25a19 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.cxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.cxx
@@ -222,5 +222,9 @@ void DXFGroupReader::ReadS()
     S = DXFReadLine(rIS);
 }
 
+sal_uInt64 DXFGroupReader::remainingSize() const
+{
+    return rIS.remainingSize();
+}
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/filter/source/graphicfilter/idxf/dxfgrprd.hxx b/filter/source/graphicfilter/idxf/dxfgrprd.hxx
index 822820859acc..6064a7eb758d 100644
--- a/filter/source/graphicfilter/idxf/dxfgrprd.hxx
+++ b/filter/source/graphicfilter/idxf/dxfgrprd.hxx
@@ -64,6 +64,7 @@ public:
 
     void SetS(); // (will be copied)
 
+    sal_uInt64 remainingSize() const;
 private:
 
     long   ReadI();