check for legal field sizes before reading

Change-Id: I3cdb647e1a057be5bb4b32d119ee5bcbbedf7473
(cherry picked from commit ad6d83defb33c414885ce6d4bfa85571d463f3c3)
Reviewed-on: https://gerrit.libreoffice.org/18170
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Miklos Vajna <vmiklos@collabora.co.uk>

1 files changed, 19 insertions, 6 deletions

diff --git a/filter/source/graphicfilter/ios2met/ios2met.cxx b/filter/source/graphicfilter/ios2met/ios2met.cxx
index e0d8736929d4..88cc418874de 100644
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -2678,21 +2678,34 @@ void OS2METReader::ReadOS2MET( SvStream & rStreamOS2MET, GDIMetaFile & rGDIMetaF
         pOS2MET->ReadUInt16(nFieldType);
 
         pOS2MET->SeekRel(3);
-        nPos+=8; nFieldSize-=8;
 
-        if (pOS2MET->GetError()) break;
-        if (pOS2MET->IsEof()) {
+        if (pOS2MET->GetError())
+            break;
+
+        if (nFieldType==EndDocumnMagic)
+            break;
+
+        if (pOS2MET->IsEof() || nFieldSize < 8)
+        {
             pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
             ErrorCode=8;
             break;
         }
 
-        if (nFieldType==EndDocumnMagic) break;
+        nPos+=8; nFieldSize-=8;
+
+        if (nFieldSize > pOS2MET->remainingSize())
+        {
+            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+            ErrorCode=8;
+            break;
+        }
 
         ReadField(nFieldType, nFieldSize);
+        nPos += nFieldSize;
 
-        nPos+=(sal_uLong)nFieldSize;
-        if (pOS2MET->Tell()>nPos)  {
+        if (pOS2MET->Tell() > nPos)
+        {
             pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
             ErrorCode=9;
             break;