diff options
author | Caolán McNamara <caolanm@redhat.com> | 2017-11-13 16:03:28 +0000 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2017-11-27 12:55:08 +0100 |
commit | bbf087bd267f19c6b4b6f537efaa9adb9fb67748 (patch) | |
tree | 5f0062ed1b5d425e8f946f0ae693707f787bd3ed /filter | |
parent | 3e2aeb61db631a6e2cce0e9d9df2e70db2540c0e (diff) |
ofz: compare against available data len
Reviewed-on: https://gerrit.libreoffice.org/44688
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: David Tardon <dtardon@redhat.com>
(cherry picked from commit 7e3572833b8ce0c9d2b92130df099a8bbbe95c4d)
Change-Id: I407e104e08aa393d66ed5c6baf5e0b0ab2d361bd
Diffstat (limited to 'filter')
-rw-r--r-- | filter/source/graphicfilter/icgm/class7.cxx | 45 |
1 files changed, 29 insertions, 16 deletions
diff --git a/filter/source/graphicfilter/icgm/class7.cxx b/filter/source/graphicfilter/icgm/class7.cxx index a18c5fd30272..1d5f442b7427 100644 --- a/filter/source/graphicfilter/icgm/class7.cxx +++ b/filter/source/graphicfilter/icgm/class7.cxx @@ -30,16 +30,23 @@ void CGM::ImplDoClass7() case 0x01 : /*Message */break; case 0x02 : { - sal_uInt8* pAppData = mpSource + 12; + if (mpEndValidSource - mpSource < 12) + throw css::uno::Exception("attempt to read past end of input", nullptr); + sal_uInt16* pTemp = reinterpret_cast<sal_uInt16*>(mpSource); sal_uInt16 nOpcode = pTemp[ 4 ]; + sal_uInt8* pAppData = mpSource + 12; + if ( mpChart || ( nOpcode == 0 ) ) { switch ( nOpcode ) { case 0x000 : /*AppData - Beginning of File Opcodes*/ { + if (mpEndValidSource - pAppData < 4) + throw css::uno::Exception("attempt to read past end of input", nullptr); + if ( mpChart == nullptr ) mpChart = new CGMChart; mpChart->mnCurrentFileType = pAppData[ 3 ]; @@ -68,6 +75,9 @@ void CGM::ImplDoClass7() case 0x262 : /*AppData - ENDGROUP */break; case 0x264 : /*AppData - DATANODE*/ { + if (static_cast<size_t>(mpEndValidSource - pAppData) < sizeof(DataNode)) + throw css::uno::Exception("attempt to read past end of input", nullptr); + mpChart->mDataNode[ 0 ] = *reinterpret_cast<DataNode*>( pAppData ); sal_Int8 nZoneEnum = mpChart->mDataNode[ 0 ].nZoneEnum; if ( nZoneEnum && ( nZoneEnum <= 6 ) ) @@ -76,25 +86,25 @@ void CGM::ImplDoClass7() break; case 0x2BE : /*AppData - SHWSLIDEREC*/ { - if ( mnMode & CGM_EXPORT_IMPRESS ) + if (mpEndValidSource - pAppData < 16) + throw css::uno::Exception("attempt to read past end of input", nullptr); + + if ( pAppData[ 16 ] == 0 ) // a blank template ? { - if ( pAppData[ 16 ] == 0 ) // a blank template ? + if ( pAppData[ 2 ] == 46 ) { - if ( pAppData[ 2 ] == 46 ) - { - // this starts the document -> maybe we could insert a new document - } - else if ( pAppData[ 2 ] & 0x80 ) - { - // this is a template - } - else - { - mpOutAct->InsertPage(); - } + // this starts the document -> maybe we could insert a new document + } + else if ( pAppData[ 2 ] & 0x80 ) + { + // this is a template + } + else + { + mpOutAct->InsertPage(); } - mpChart->ResetAnnotation(); } + mpChart->ResetAnnotation(); } break; case 0x2C0 : /*AppData - SHWKEYTABLE */break; @@ -104,6 +114,9 @@ void CGM::ImplDoClass7() case 0x2CA : /*AppData - SHWAPP */break; case 0x320 : /*AppData - TEXT*/ { + if (mpEndValidSource - pAppData < 9) + throw css::uno::Exception("attempt to read past end of input", nullptr); + TextEntry* pTextEntry = new TextEntry; pTextEntry->nTypeOfText = *(reinterpret_cast<sal_uInt16*>( pAppData ) ); pTextEntry->nRowOrLineNum = *(reinterpret_cast<sal_uInt16*>( pAppData + 2 ) ); |