diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-09-29 15:26:59 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-09-30 12:24:01 +0200 |
| commit | e8879de7bcd940fd1a92e426d807777162fa1f73 (patch) | |
| tree | 41184e0ca6969b05f929e8a062c8d4681391020a /emfio | |
| parent | 150e93dbb49b0d09dc17390004a6869e33cf1686 (diff) | |
ofz+ubsan
Change-Id: I03f4bae4dd35eea9b5d3996e0655ca9a2ccd6a5f
Reviewed-on: https://gerrit.libreoffice.org/42944
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'emfio')
| -rw-r--r-- | emfio/source/reader/emfreader.cxx | 7 | ||||
| -rw-r--r-- | emfio/source/reader/mtftools.cxx | 34 |
2 files changed, 27 insertions, 14 deletions
diff --git a/emfio/source/reader/emfreader.cxx b/emfio/source/reader/emfreader.cxx index 8203951029f8..e9ff29010ebd 100644 --- a/emfio/source/reader/emfreader.cxx +++ b/emfio/source/reader/emfreader.cxx @@ -22,6 +22,7 @@ #include <basegfx/matrix/b2dhommatrix.hxx> #include <vcl/dibtools.hxx> #include <o3tl/make_unique.hxx> +#include <o3tl/safeint.hxx> #include <tools/stream.hxx> #include <memory> @@ -1590,8 +1591,10 @@ namespace emfio } std::unique_ptr<long[]> pDXAry, pDYAry; - sal_Int32 nDxSize = nLen * ((nOptions & ETO_PDY) ? 8 : 4); - if ( offDx && (( nCurPos + offDx + nDxSize ) <= nNextPos ) && nNextPos <= mnEndPos ) + + sal_Int32 nDxSize; + bool bOverflow = o3tl::checked_multiply<sal_Int32>(nLen, (nOptions & ETO_PDY) ? 8 : 4, nDxSize); + if (!bOverflow && offDx && ((nCurPos + offDx + nDxSize) <= nNextPos ) && nNextPos <= mnEndPos) { mpInputStream->Seek( nCurPos + offDx ); pDXAry.reset( new long[aText.getLength()] ); diff --git a/emfio/source/reader/mtftools.cxx b/emfio/source/reader/mtftools.cxx index 212b93fc5b9f..7f8d477c7b22 100644 --- a/emfio/source/reader/mtftools.cxx +++ b/emfio/source/reader/mtftools.cxx @@ -386,16 +386,24 @@ namespace emfio break; default : { - fX2 -= mnWinOrgX; - fY2 -= mnWinOrgY; - fX2 /= mnWinExtX; - fY2 /= mnWinExtY; - fX2 *= mnDevWidth; - fY2 *= mnDevHeight; - fX2 += mnDevOrgX; - fY2 += mnDevOrgY; // fX2, fY2 now in device units - fX2 *= (double)mnMillX * 100.0 / (double)mnPixX; - fY2 *= (double)mnMillY * 100.0 / (double)mnPixY; + if (mnPixX == 0 || mnPixY == 0) + { + SAL_WARN("vcl.emf", "invalid scaling factor"); + return Point(); + } + else + { + fX2 -= mnWinOrgX; + fY2 -= mnWinOrgY; + fX2 /= mnWinExtX; + fY2 /= mnWinExtY; + fX2 *= mnDevWidth; + fY2 *= mnDevHeight; + fX2 += mnDevOrgX; + fY2 += mnDevOrgY; // fX2, fY2 now in device units + fX2 *= (double)mnMillX * 100.0 / (double)mnPixX; + fY2 *= (double)mnMillY * 100.0 / (double)mnPixY; + } } break; } @@ -1421,7 +1429,8 @@ namespace emfio // #i121382# Map DXArray using WorldTransform const Size aSizeX(ImplMap(Size(nSumX, 0))); const basegfx::B2DVector aVectorX(aSizeX.Width(), aSizeX.Height()); - pDXArry[i] = basegfx::fround(aVectorX.getLength()) * (nSumX >= 0 ? 1 : -1); + pDXArry[i] = basegfx::fround(aVectorX.getLength()); + pDXArry[i] *= (nSumX >= 0 ? 1 : -1); if (pDYArry) { @@ -1430,7 +1439,8 @@ namespace emfio const Size aSizeY(ImplMap(Size(0, nSumY))); const basegfx::B2DVector aVectorY(aSizeY.Width(), aSizeY.Height()); // Reverse Y - pDYArry[i] = basegfx::fround(aVectorY.getLength()) * (nSumY >= 0 ? -1 : 1); + pDYArry[i] = basegfx::fround(aVectorY.getLength()); + pDYArry[i] *= (nSumY >= 0 ? -1 : 1); } } } |