diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-01-26 11:26:41 +0000 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2015-09-29 14:02:52 -0700 |
| commit | 259b7be4313dc7a8eb4047a99918e95a1719cbe6 (patch) | |
| tree | b980af7eca4aa8982444c71acc784b6f5ae436e3 | |
| parent | e7284e9f376fe6e2cca6b79acaf18c13e94e840f (diff) | |
coverity#1266485 Untrusted value as argument
(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171)
min legal size here is > 4
(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3)
(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab)
(cherry picked from commit d4f07cdd244a6aa69de1fde0df4163b27a65556c)
Conflicts:
vcl/source/gdi/jobset.cxx
9f68d000b32623db4d949d13284043630f5689f4
Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c
| -rw-r--r-- | vcl/source/gdi/jobset.cxx | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx index a2ca658d55ca..16718f0ef628 100644 --- a/vcl/source/gdi/jobset.cxx +++ b/vcl/source/gdi/jobset.cxx @@ -235,19 +235,24 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup ) DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" ); { - sal_Size nFirstPos = rIStream.Tell(); - sal_uInt16 nLen = 0; rIStream >> nLen; - if ( !nLen ) + if (nLen <= 4) return rIStream; sal_uInt16 nSystem = 0; rIStream >> nSystem; - - char* pTempBuf = new char[nLen]; - rIStream.Read( pTempBuf, nLen - sizeof( nLen ) - sizeof( nSystem ) ); - if ( nLen >= sizeof(ImplOldJobSetupData)+4 ) + const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem); + if (nRead > rIStream.remainingSize()) + { + SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() << + " max possible entries, but " << nRead << " claimed, truncating"); + return rIStream; + } + sal_Size nFirstPos = rIStream.Tell(); + char* pTempBuf = new char[nRead]; + rIStream.Read(pTempBuf, nRead); + if (nRead >= sizeof(ImplOldJobSetupData)) { ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf; if ( rJobSetup.mpData ) @@ -289,8 +294,8 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup ) } if( nSystem == JOBSET_FILE605_SYSTEM ) { - rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen ); - while( rIStream.Tell() < nFirstPos + nLen ) + rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen ); + while( rIStream.Tell() < nFirstPos + nRead ) { OUString aKey = read_lenPrefixed_uInt8s_ToOUString<sal_uInt16>(rIStream, RTL_TEXTENCODING_UTF8); OUString aValue = read_lenPrefixed_uInt8s_ToOUString<sal_uInt16>(rIStream, RTL_TEXTENCODING_UTF8); @@ -308,9 +313,9 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup ) else pJobData->maValueMap[ aKey ] = aValue; } - DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" ); + DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" ); // ensure correct stream position - rIStream.Seek( nFirstPos + nLen ); + rIStream.Seek(nFirstPos + nRead); } } } |