diff options
author | Caolán McNamara <caolanm@redhat.com> | 2014-10-20 09:59:28 +0100 |
---|---|---|
committer | Michael Stahl <mstahl@redhat.com> | 2014-10-23 12:21:38 +0000 |
commit | 22590777ac1fbb1b6dadedae166a59ed3c34dc5b (patch) | |
tree | 0e1c08728e9019debdd29a2e318d641d4ec3f8e3 /filter/source/msfilter/msdffimp.cxx | |
parent | ce566d4a49b40d00ece92c53fb6e96d3c928ae0b (diff) |
various untrusted loop bounds
coverity#1242704 Untrusted loop bound
Change-Id: Ib2e00c0cd269dc7ae55b206713fe07e5326072f2
(cherry picked from commit d615d83381a0830a815fe2879ce761f1b00b04e9)
coverity#1242606 Untrusted loop bound
Change-Id: Iafa03d4dd65eb343a80996880bc1ed846d1b7491
(cherry picked from commit 1361dfc0aa835dcb134d5de4bac594519aa16efe)
coverity#1242582 Untrusted loop bound
Change-Id: I72d2c4979b62a025d212ce5ee3b7141c40376fa7
(cherry picked from commit 6118c11a0c5122169979547e8c27136cf58a54a7)
coverity#1242778 Untrusted value as argument
Change-Id: I34d5a5e7c5f0eef51d941c65ab73d5421d5a36cb
(cherry picked from commit be31503ef86d2ad3291ced8fddb9c4da4d324c46)
coverity#1242724 Untrusted value as argument
Change-Id: I6041d09ef0a4ed4af5f1bf93f31a1eac60be1af7
(cherry picked from commit bbe264a19fb82f50d859fc72a47312db0527640f)
coverity#1242717 Untrusted loop bound
Change-Id: I983bba075ab9626c90555fa41f9d473ae60fafea
(cherry picked from commit cf63ebe0f005513c1e989682459bcd0688eb190b)
coverity#1242624 Untrusted loop bound
Change-Id: If2ae1982eec100f5602a13d648beec247ced6aa2
(cherry picked from commit 711e74544d70b108e9bc70772b31f386dbf1c2a4)
coverity#1222238 Untrusted loop bound
Change-Id: I1a4dec8727d0a27f7fd0396fd22d955f61daaee4
(cherry picked from commit 5a89092d5fe43638832ea8f86df34f81869337d9)
coverity#1242573 Untrusted loop bound
Change-Id: Id2847c55ccab7272919e76542bc0e0570bc9af12
(cherry picked from commit 5e2d089f763963e6ce7d3d183bd1bf7932aeaaaf)
coverity#1242573 Untrusted loop bound
(cherry picked from commit 11a514e06bf38c70f2364c8535782aa3f33d6206)
Conflicts:
vcl/source/filter/wmf/winwmf.cxx
Change-Id: Ic84e57fbfa2b532409865c4364b91be594d252cf
pass sfntLen to DumpSfnts etc so sfntP reads can be checked
Change-Id: I5d8092eceb31ba251e75fe2c51b87890b8adcbf2
(cherry picked from commit b4a0104849eeecb7779fda41116c92c362759882)
coverity#1242908 Untrusted value as argument
Change-Id: If9dd92c361d406c435329d29870dc8bb07a8ba7b
(cherry picked from commit d0be09322d127e7d517851db38c764d57fbab2dc)
Reviewed-on: https://gerrit.libreoffice.org/12067
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Tested-by: Michael Stahl <mstahl@redhat.com>
Diffstat (limited to 'filter/source/msfilter/msdffimp.cxx')
-rw-r--r-- | filter/source/msfilter/msdffimp.cxx | 89 |
1 files changed, 62 insertions, 27 deletions
diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index dc72ec7bbfea..12ef20aba851 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -1064,14 +1064,20 @@ void GetShadeColors( const SvxMSDffManager& rManager, const DffPropertyReader& r sal_uInt32 nPos = rIn.Tell(); if ( rProperties.IsProperty( DFF_Prop_fillShadeColors ) ) { - if ( rProperties.SeekToContent( DFF_Prop_fillShadeColors, rIn ) ) + sal_uInt16 i = 0, nNumElem = 0, nNumElemReserved = 0, nSize = 0; + bool bOk = false; + if (rProperties.SeekToContent(DFF_Prop_fillShadeColors, rIn)) { - sal_uInt16 i = 0, nNumElem = 0, nNumElemReserved = 0, nSize = 0; rIn.ReadUInt16( nNumElem ).ReadUInt16( nNumElemReserved ).ReadUInt16( nSize ); + //sanity check that the stream is long enough to fulfill nNumElem * 2 sal_Int32s + bOk = rIn.remainingSize() / (2*sizeof(sal_Int32)) >= nNumElem; + } + if (bOk) + { for ( ; i < nNumElem; i++ ) { - sal_Int32 nColor; - sal_Int32 nDist; + sal_Int32 nColor(0); + sal_Int32 nDist(0); rIn.ReadInt32( nColor ).ReadInt32( nDist ); rShadeColors.push_back( ShadeColor( rManager.MSO_CLR_ToColor( nColor, DFF_Prop_fillColor ), 1.0 - ( nDist / 65536.0 ) ) ); @@ -1897,7 +1903,13 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt sal_uInt16 nNumElemMem = 0; rIn.ReadUInt16( nNumElem ).ReadUInt16( nNumElemMem ).ReadUInt16( nElemSize ); } - if ( nElemSize == 36 ) + bool bImport = false; + if (nElemSize == 36) + { + //sanity check that the stream is long enough to fulfill nNumElem * nElemSize; + bImport = rIn.remainingSize() / nElemSize >= nNumElem; + } + if (bImport) { uno::Sequence< beans::PropertyValues > aHandles( nNumElem ); for ( sal_uInt16 i = 0; i < nNumElem; i++ ) @@ -2309,12 +2321,19 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt sal_uInt16 nNumElemMem = 0; rIn.ReadUInt16( nNumElem ).ReadUInt16( nNumElemMem ).ReadUInt16( nElemSize ); } - if ( nElemSize == 16 ) + bool bImport = false; + if (nElemSize == 16) + { + //sanity check that the stream is long enough to fulfill nNumElem * nElemSize; + bImport = rIn.remainingSize() / nElemSize >= nNumElem; + } + if (bImport) { - sal_Int32 nLeft, nTop, nRight, nBottom; com::sun::star::uno::Sequence< com::sun::star::drawing::EnhancedCustomShapeTextFrame > aTextFrames( nNumElem ); - for ( sal_uInt16 i = 0; i < nNumElem; i++ ) + for (sal_uInt16 i = 0; i < nNumElem; ++i) { + sal_Int32 nLeft(0), nTop(0), nRight(0), nBottom(0); + rIn.ReadInt32( nLeft ) .ReadInt32( nTop ) .ReadInt32( nRight ) @@ -2342,26 +2361,37 @@ void DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt if ( SeekToContent( DFF_Prop_connectorPoints, rIn ) ) rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert ); - sal_Int32 nX, nY; - sal_Int16 nTmpA, nTmpB; - aGluePoints.realloc( nNumElemVert ); - for ( sal_uInt16 i = 0; i < nNumElemVert; i++ ) + bool bImport = false; + if (nNumElemVert) { - if ( nElemSizeVert == 8 ) - { - rIn.ReadInt32( nX ) - .ReadInt32( nY ); - } - else + //sanity check that the stream is long enough to fulfill nNumElemVert * nElemSizeVert; + bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert; + } + + if (bImport) + { + aGluePoints.realloc( nNumElemVert ); + for (sal_uInt16 i = 0; i < nNumElemVert; ++i) { - rIn.ReadInt16( nTmpA ) - .ReadInt16( nTmpB ); + sal_Int32 nX(0), nY(0); + if ( nElemSizeVert == 8 ) + { + rIn.ReadInt32( nX ) + .ReadInt32( nY ); + } + else + { + sal_Int16 nTmpA(0), nTmpB(0); - nX = nTmpA; - nY = nTmpB; + rIn.ReadInt16( nTmpA ) + .ReadInt16( nTmpB ); + + nX = nTmpA; + nY = nTmpB; + } + EnhancedCustomShape2d::SetEnhancedCustomShapeParameter( aGluePoints[ i ].First, nX ); + EnhancedCustomShape2d::SetEnhancedCustomShapeParameter( aGluePoints[ i ].Second, nY ); } - EnhancedCustomShape2d::SetEnhancedCustomShapeParameter( aGluePoints[ i ].First, nX ); - EnhancedCustomShape2d::SetEnhancedCustomShapeParameter( aGluePoints[ i ].Second, nY ); } const OUString sGluePoints( "GluePoints" ); aProp.Name = sGluePoints; @@ -5319,19 +5349,24 @@ SdrObject* SvxMSDffManager::ProcessObj(SvStream& rSt, { delete pTextImpRec->pWrapPolygon; pTextImpRec->pWrapPolygon = NULL; - sal_uInt16 nNumElemVert, nNumElemMemVert, nElemSizeVert; + sal_uInt16 nNumElemVert(0), nNumElemMemVert(0), nElemSizeVert(0); rSt.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert ); + bool bOk = false; if (nNumElemVert && ((nElemSizeVert == 8) || (nElemSizeVert == 4))) { + bOk = rSt.remainingSize() / nElemSizeVert >= nNumElemVert; + } + if (bOk) + { pTextImpRec->pWrapPolygon = new Polygon(nNumElemVert); for (sal_uInt16 i = 0; i < nNumElemVert; ++i) { - sal_Int32 nX, nY; + sal_Int32 nX(0), nY(0); if (nElemSizeVert == 8) rSt.ReadInt32( nX ).ReadInt32( nY ); else { - sal_Int16 nSmallX, nSmallY; + sal_Int16 nSmallX(0), nSmallY(0); rSt.ReadInt16( nSmallX ).ReadInt16( nSmallY ); nX = nSmallX; nY = nSmallY; |