fdo#84686 prevent std::bad_alloc exception by stricter input check

The bugdoc has invalid length (rh.recLen) in header of blipStore's
OfficeArtFBSE record. Therefore LibreOffice read junk for the next
BLIP, and tried to seek to an invalid stream position, which caused
bad allocation exception on 32-bit systems.

Change-Id: I72fae4c2b00216b57736f4409a32c62a40f25785

1 files changed, 4 insertions, 4 deletions

diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx
index 0defb0a9cf3a..d1ca58185dcd 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -5798,8 +5798,7 @@ void SvxMSDffManager::GetCtrlData( sal_uInt32 nOffsDgg_ )
 }
 
 
-// from here on: Drawing Group Container  i.e. Ddocument-wide valid data
-//                      =======================           ========
+// from here on: Drawing Group Container  i.e. document-wide valid data
 
 void SvxMSDffManager::GetDrawingGroupContainerData( SvStream& rSt, sal_uLong nLenDgg )
 {
@@ -5839,7 +5838,7 @@ void SvxMSDffManager::GetDrawingGroupContainerData( SvStream& rSt, sal_uLong nLe
     {
         if(!ReadCommonRecordHeader( rSt, nVer, nInst, nFbt, nLength)) return;
         nRead += DFF_COMMON_RECORD_HEADER_SIZE + nLength;
-        if( DFF_msofbtBSE == nFbt )
+        if( DFF_msofbtBSE == nFbt && /* magic value from spec */ 0x2 == nVer )
         {
             nLenFBSE = nLength;
             // is FBSE big enough for our data
@@ -5876,8 +5875,9 @@ void SvxMSDffManager::GetDrawingGroupContainerData( SvStream& rSt, sal_uLong nLe
                 // now save the info for later access
                 pBLIPInfos->push_back( new SvxMSDffBLIPInfo( nInst, nBLIPPos, nBLIPLen ) );
             }
+            rSt.SeekRel( nLength );
         }
-        rSt.SeekRel( nLength );
+        else return; // invalid input
     }
     while( nRead < nLenBStoreCont );
 }