detect corrupted job setup

Change-Id: I0d3b4850c3d4c015a0a7e5d36d87113a749c7e0f Reviewed-on: https://gerrit.libreoffice.org/42385 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <mstahl@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2017-09-17 17:38:39 +0100
committer: Michael Stahl <mstahl@redhat.com> 2017-09-18 12:23:55 +0200
commit: 1eb3822d74f535f75aa336b27568ee8a6084c4dd (patch)
tree: 71140b0afd3624227cf10b0d8eb257f7d8e6a12e
parent: 256a405d4b1feeafd8a09e98bce9fb0c9125ee3d (diff)
1 files changed, 15 insertions, 7 deletions
diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
index f80e246a5c68..31ee4f08dca5 100644
--- a/vcl/source/gdi/jobset.cxx
+++ b/vcl/source/gdi/jobset.cxx
@@ -239,7 +239,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
 
         sal_uInt16 nSystem = 0;
         rIStream.ReadUInt16( nSystem );
-        const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
+        size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
         if (nRead > rIStream.remainingSize())
         {
             SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
@@ -248,7 +248,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
         }
         sal_uInt64 const nFirstPos = rIStream.Tell();
         std::unique_ptr<char[]> pTempBuf(new char[nRead]);
-        rIStream.ReadBytes(pTempBuf.get(), nRead);
+        nRead = rIStream.ReadBytes(pTempBuf.get(), nRead);
         if (nRead >= sizeof(ImplOldJobSetupData))
         {
             ImplOldJobSetupData* pData = reinterpret_cast<ImplOldJobSetupData*>(pTempBuf.get());
@@ -278,11 +278,19 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
                 rJobData.SetPaperHeight( (long)SVBT32ToUInt32( pOldJobData->nPaperHeight ) );
                 if ( rJobData.GetDriverDataLen() )
                 {
-                    const sal_uInt8* pDriverData = reinterpret_cast<sal_uInt8*>(pOldJobData) + nOldJobDataSize;
-                    sal_uInt8* pNewDriverData = static_cast<sal_uInt8*>(
-                        rtl_allocateMemory( rJobData.GetDriverDataLen() ));
-                    memcpy( pNewDriverData, pDriverData, rJobData.GetDriverDataLen() );
-                    rJobData.SetDriverData( pNewDriverData );
+                    const char* pDriverData = reinterpret_cast<const char*>(pOldJobData) + nOldJobDataSize;
+                    const char* pDriverDataEnd = pDriverData + rJobData.GetDriverDataLen();
+                    if (pDriverDataEnd > pTempBuf.get() + nRead)
+                    {
+                        SAL_WARN("vcl", "corrupted job setup");
+                    }
+                    else
+                    {
+                        sal_uInt8* pNewDriverData = static_cast<sal_uInt8*>(
+                            rtl_allocateMemory( rJobData.GetDriverDataLen() ));
+                        memcpy( pNewDriverData, pDriverData, rJobData.GetDriverDataLen() );
+                        rJobData.SetDriverData( pNewDriverData );
+                    }
                 }
                 if( nSystem == JOBSET_FILE605_SYSTEM )
                 {
author	Caolán McNamara <caolanm@redhat.com>	2017-09-17 17:38:39 +0100
committer	Michael Stahl <mstahl@redhat.com>	2017-09-18 12:23:55 +0200
commit	1eb3822d74f535f75aa336b27568ee8a6084c4dd (patch)
tree	71140b0afd3624227cf10b0d8eb257f7d8e6a12e
parent	256a405d4b1feeafd8a09e98bce9fb0c9125ee3d (diff)