diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2018-02-08 11:13:47 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2018-02-08 15:58:44 +0100 |
| commit | 37e5c9efb19224974a3861eae18e16d6432c6bde (patch) | |
| tree | 44ddb8179d5385adcb10404a24a2fe0539a31d47 /emfio | |
| parent | a26adf6679aa13dc5821047f6aa1f05e7d0d00fd (diff) | |
ofz: timeout
Change-Id: I3eff48549761aa8fa2569cd23c122f98fb2ea491
Reviewed-on: https://gerrit.libreoffice.org/49419
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'emfio')
| -rw-r--r-- | emfio/source/reader/wmfreader.cxx | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/emfio/source/reader/wmfreader.cxx b/emfio/source/reader/wmfreader.cxx index e0822757eefe..983fe70a1a4e 100644 --- a/emfio/source/reader/wmfreader.cxx +++ b/emfio/source/reader/wmfreader.cxx @@ -511,14 +511,30 @@ namespace emfio case W_META_TEXTOUT: { + //record is Recordsize, RecordFunction, StringLength, <String>, YStart, XStart + const sal_uInt32 nNonStringLen = sizeof(sal_uInt32) + 4 * sizeof(sal_uInt16); + const sal_uInt32 nRecSize = mnRecSize * 2; sal_uInt16 nLength = 0; - mpInputStream->ReadUInt16( nLength ); - if ( nLength ) + mpInputStream->ReadUInt16(nLength); + sal_uInt16 nStoredLength = (nLength + 1) &~ 1; + + if (nRecSize < nNonStringLen) + { + SAL_WARN("vcl.wmf", "W_META_TEXTOUT too short"); + break; + } + + if (nRecSize - nNonStringLen < nStoredLength) + { + SAL_WARN("vcl.wmf", "W_META_TEXTOUT too short, truncating string"); + nLength = nStoredLength = nRecSize - nNonStringLen; + } + + if (nLength) { - std::unique_ptr<char[]> pChar(new char[ ( nLength + 1 ) &~ 1 ]); - nLength = std::min<sal_uInt64>(nLength, mpInputStream->ReadBytes(pChar.get(), (nLength + 1) &~ 1)); - OUString aText( pChar.get(), nLength, GetCharSet() ); - pChar.reset(); + std::vector<char> aChars(nStoredLength); + nLength = std::min<sal_uInt16>(nLength, mpInputStream->ReadBytes(aChars.data(), aChars.size())); + OUString aText(aChars.data(), nLength, GetCharSet()); Point aPosition( ReadYX() ); DrawText( aPosition, aText ); } |