summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Stahl <mstahl@redhat.com>2013-02-25 13:15:19 +0100
committerRadek Doulík <rodo@novell.com>2013-02-25 16:34:49 +0000
commit6cf68eab5eb77b7e081ef5f8d59d196411e86567 (patch)
treeb3273f8f747f610b854fd5860a49fe8b3136deae
parent32bc874ded4f9108a32bd76a53ecc001e6ba2a83 (diff)
fdo#59405: cppcanvas: fix infinite loop in processEMFPlus
This can be observed when inserting the bugdoc from fdo#59405. Apparently the "size" and "length" do not agree; ensure that the "length" does not underflow. Change-Id: Idfc68919859b8284c724831de21208e4392af328 (cherry picked from commit ec0d1440cf07008a220708535848567bcbb233ea) Reviewed-on: https://gerrit.libreoffice.org/2394 Reviewed-by: Radek Doulík <rodo@novell.com> Tested-by: Radek Doulík <rodo@novell.com>
-rw-r--r--cppcanvas/source/mtfrenderer/emfplus.cxx11
1 files changed, 10 insertions, 1 deletions
diff --git a/cppcanvas/source/mtfrenderer/emfplus.cxx b/cppcanvas/source/mtfrenderer/emfplus.cxx
index f1b0eff12282..0c9db41dd843 100644
--- a/cppcanvas/source/mtfrenderer/emfplus.cxx
+++ b/cppcanvas/source/mtfrenderer/emfplus.cxx
@@ -1763,7 +1763,16 @@ namespace cppcanvas
rMF.Seek (next);
- length -= size;
+ if (size <= length)
+ {
+ length -= size;
+ }
+ else
+ {
+ SAL_WARN("cppcanvas", "ImplRenderer::processEMFPlus: "
+ "size " << size << " > length " << length);
+ length = 0;
+ }
}
}
}