summaryrefslogtreecommitdiff
path: root/emfio
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2017-11-18 15:21:58 +0000
committerCaolán McNamara <caolanm@redhat.com>2017-11-20 09:58:09 +0100
commit5cfbc855141a7f5c5583aadc8ef8541ed582d139 (patch)
tree075a8883e3c6550cde521f9567892f54c21007cc /emfio
parent0f0049d77a0ee6ae936922213c7290d0bc4fee29 (diff)
ofz#4318 Integer-overflow
Change-Id: I7ad1f39d82e44e4fa8dd78700b25deea0c19c81a Reviewed-on: https://gerrit.libreoffice.org/44913 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'emfio')
-rw-r--r--emfio/source/reader/emfreader.cxx9
1 files changed, 6 insertions, 3 deletions
diff --git a/emfio/source/reader/emfreader.cxx b/emfio/source/reader/emfreader.cxx
index 6ee222d427cb..e4f89420b930 100644
--- a/emfio/source/reader/emfreader.cxx
+++ b/emfio/source/reader/emfreader.cxx
@@ -1259,12 +1259,15 @@ namespace emfio
mpInputStream->ReadUInt32( BkColorSrc ).ReadUInt32( iUsageSrc ).ReadUInt32( offBmiSrc ).ReadUInt32( cbBmiSrc )
.ReadUInt32( offBitsSrc ).ReadUInt32( cbBitsSrc ).ReadInt32( cxSrc ).ReadInt32( cySrc ) ;
- tools::Rectangle aRect( Point( xDest, yDest ), Size( cxDest+1, cyDest+1 ) );
-
- if ( (cbBitsSrc > (SAL_MAX_UINT32 - 14)) || ((SAL_MAX_UINT32 - 14) - cbBitsSrc < cbBmiSrc) )
+ if ( (cbBitsSrc > (SAL_MAX_UINT32 - 14)) || ((SAL_MAX_UINT32 - 14) - cbBitsSrc < cbBmiSrc) ||
+ cxDest == SAL_MAX_INT32 || cyDest == SAL_MAX_INT32 )
+ {
bStatus = false;
+ }
else
{
+ tools::Rectangle aRect(Point(xDest, yDest), Size(cxDest + 1, cyDest + 1));
+
const sal_uInt32 nSourceSize = cbBmiSrc + cbBitsSrc + 14;
bool bSafeRead = nSourceSize <= (mnEndPos - mnStartPos);
sal_uInt32 nDeltaToDIB5HeaderSize(0);
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-28 13:10:48 +0000