diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2021-01-01 19:17:30 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2021-01-01 22:07:04 +0100 |
| commit | f400e883044143f999c460375a293647b4a57244 (patch) | |
| tree | 601731bf3266937bae0dcae8e1037779dcea1cf6 | |
| parent | 30aacb7826f39601f5729aed929997073ff4e309 (diff) | |
ofz#29151 short read
Change-Id: I908d19903ff0b16f5c6a87b8aa989b6a410a7b3a
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108563
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | filter/source/msfilter/msdffimp.cxx | 10 | ||||
| -rw-r--r-- | sd/qa/unit/data/ppt/pass/hang-19.ppt (renamed from sd/qa/unit/data/ppt/fail/hang-19.ppt) | bin | 7680 -> 7680 bytes |
2 files changed, 6 insertions, 4 deletions
diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index bed7bdcc283d..442509617f91 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -4183,9 +4183,11 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r if( maShapeRecords.SeekToContent( rSt, DFF_msofbtUDefProp ) ) { - sal_uInt32 nBytesLeft = maShapeRecords.Current()->nRecLen; + sal_uInt32 nBytesLeft = maShapeRecords.Current()->nRecLen; while( 5 < nBytesLeft ) { + if (rSt.remainingSize() < 6) + break; sal_uInt16 nPID(0); rSt.ReadUInt16(nPID); if (!rSt.good()) @@ -4199,11 +4201,11 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r mbRotateGranientFillWithAngle = nUDData & 0x20; break; } - nBytesLeft -= 6; + nBytesLeft -= 6; } } aObjData.bShapeType = maShapeRecords.SeekToContent( rSt, DFF_msofbtSp ); - if ( aObjData.bShapeType ) + if (aObjData.bShapeType && rSt.remainingSize() >= 8) { sal_uInt32 temp; rSt.ReadUInt32( aObjData.nShapeId ) @@ -4247,7 +4249,7 @@ SdrObject* SvxMSDffManager::ImportShape( const DffRecordHeader& rHd, SvStream& r } aObjData.bChildAnchor = maShapeRecords.SeekToContent( rSt, DFF_msofbtChildAnchor, SEEK_FROM_CURRENT_AND_RESTART ); - if ( aObjData.bChildAnchor ) + if (aObjData.bChildAnchor && rSt.remainingSize() >= 16) { sal_Int32 l(0), o(0), r(0), u(0); rSt.ReadInt32( l ).ReadInt32( o ).ReadInt32( r ).ReadInt32( u ); diff --git a/sd/qa/unit/data/ppt/fail/hang-19.ppt b/sd/qa/unit/data/ppt/pass/hang-19.ppt Binary files differindex 942a58a66c5d..942a58a66c5d 100644 --- a/sd/qa/unit/data/ppt/fail/hang-19.ppt +++ b/sd/qa/unit/data/ppt/pass/hang-19.ppt |