diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-04-02 11:31:10 +0100 |
|---|---|---|
| committer | Andras Timar <andras.timar@collabora.com> | 2017-04-07 07:53:00 +0200 |
| commit | 3e2c275cb5b6697588526951155ec90327e2ba7d (patch) | |
| tree | 83b3afd8875c3d1ce7b2e7a7e471963eecb68663 /filter | |
| parent | acc586d99d4bf1059d61308c7bb6c1750e06774a (diff) | |
ofz: check bounds on read
Change-Id: I07779bec876b90e36f20a81d6dbf06ae727edf85
(cherry picked from commit fb05611064e12c8eda09bc32c42544cde8c2ab49)
Reviewed-on: https://gerrit.libreoffice.org/36018
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <mstahl@redhat.com>
(cherry picked from commit daa13c049f1d527e51a776f75748ddfba4e9666b)
Diffstat (limited to 'filter')
| -rw-r--r-- | filter/source/graphicfilter/icgm/cgm.cxx | 8 | ||||
| -rw-r--r-- | filter/source/graphicfilter/icgm/class1.cxx | 17 | ||||
| -rw-r--r-- | filter/source/graphicfilter/icgm/class4.cxx | 25 |
3 files changed, 31 insertions, 19 deletions
diff --git a/filter/source/graphicfilter/icgm/cgm.cxx b/filter/source/graphicfilter/icgm/cgm.cxx index 00d3ceca3567..7cdac8fadd54 100644 --- a/filter/source/graphicfilter/icgm/cgm.cxx +++ b/filter/source/graphicfilter/icgm/cgm.cxx @@ -101,7 +101,7 @@ sal_uInt32 CGM::GetBackGroundColor() sal_uInt32 CGM::ImplGetUI16( sal_uInt32 /*nAlign*/ ) { sal_uInt8* pSource = mpSource + mnParaSize; - if (pSource + 2 > mpEndValidSource) + if (mpEndValidSource - pSource < 2) throw css::uno::Exception("attempt to read past end of input", nullptr); mnParaSize += 2; return ( pSource[ 0 ] << 8 ) + pSource[ 1 ]; @@ -115,7 +115,7 @@ sal_uInt8 CGM::ImplGetByte( sal_uInt32 nSource, sal_uInt32 nPrecision ) sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision ) { sal_uInt8* pSource = mpSource + mnParaSize; - if (pSource + nPrecision > mpEndValidSource) + if (static_cast<sal_uIntPtr>(mpEndValidSource - pSource) < nPrecision) throw css::uno::Exception("attempt to read past end of input", nullptr); mnParaSize += nPrecision; switch( nPrecision ) @@ -147,7 +147,7 @@ sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision ) sal_uInt32 CGM::ImplGetUI( sal_uInt32 nPrecision ) { sal_uInt8* pSource = mpSource + mnParaSize; - if (pSource + nPrecision > mpEndValidSource) + if (static_cast<sal_uIntPtr>(mpEndValidSource - pSource) < nPrecision) throw css::uno::Exception("attempt to read past end of input", nullptr); mnParaSize += nPrecision; switch( nPrecision ) @@ -202,7 +202,7 @@ double CGM::ImplGetFloat( RealPrecision eRealPrecision, sal_uInt32 nRealSize ) const bool bCompatible = false; #endif - if (mpSource + mnParaSize + nRealSize > mpEndValidSource) + if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nRealSize) throw css::uno::Exception("attempt to read past end of input", nullptr); if ( bCompatible ) diff --git a/filter/source/graphicfilter/icgm/class1.cxx b/filter/source/graphicfilter/icgm/class1.cxx index 641355924f74..895dd8247d0b 100644 --- a/filter/source/graphicfilter/icgm/class1.cxx +++ b/filter/source/graphicfilter/icgm/class1.cxx @@ -176,8 +176,11 @@ void CGM::ImplDoClass1() { while ( mnParaSize < mnElementSize ) { - sal_uInt32 nSize; - nSize = ImplGetUI( 1 ); + sal_uInt32 nSize = ImplGetUI(1); + + if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize) + throw css::uno::Exception("attempt to read past end of input", nullptr); + pElement->aFontList.InsertName( mpSource + mnParaSize, nSize ); mnParaSize += nSize; } @@ -187,10 +190,12 @@ void CGM::ImplDoClass1() { while ( mnParaSize < mnElementSize ) { - sal_uInt32 nCharSetType; - sal_uInt32 nSize; - nCharSetType = ImplGetUI16(); - nSize = ImplGetUI( 1 ); + sal_uInt32 nCharSetType = ImplGetUI16(); + sal_uInt32 nSize = ImplGetUI(1); + + if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize) + throw css::uno::Exception("attempt to read past end of input", nullptr); + pElement->aFontList.InsertCharSet( (CharSetType)nCharSetType, mpSource + mnParaSize, nSize ); mnParaSize += nSize; } diff --git a/filter/source/graphicfilter/icgm/class4.cxx b/filter/source/graphicfilter/icgm/class4.cxx index 442f10dc087d..ff574c4eece4 100644 --- a/filter/source/graphicfilter/icgm/class4.cxx +++ b/filter/source/graphicfilter/icgm/class4.cxx @@ -178,15 +178,18 @@ void CGM::ImplDoClass4() case 0x04 : /*Text*/ { FloatPoint aFloatPoint; - sal_uInt32 nType, nSize; if ( mbFigure ) mpOutAct->CloseRegion(); ImplGetPoint ( aFloatPoint, true ); - nType = ImplGetUI16( 4 ); - nSize = ImplGetUI( 1 ); - mpSource[ mnParaSize + nSize ] = 0; + sal_uInt32 nType = ImplGetUI16( 4 ); + sal_uInt32 nSize = ImplGetUI( 1 ); + + if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize) + throw css::uno::Exception("attempt to read past end of input", nullptr); + + mpSource[mnParaSize + nSize] = 0; awt::Size aSize; awt::Point aPoint( (long)aFloatPoint.X, (long)aFloatPoint.Y ); @@ -200,7 +203,6 @@ void CGM::ImplDoClass4() { double dx, dy; FloatPoint aFloatPoint; - sal_uInt32 nType, nSize; if ( mbFigure ) mpOutAct->CloseRegion(); @@ -219,8 +221,11 @@ void CGM::ImplDoClass4() ImplMapDouble( dy ); ImplGetPoint ( aFloatPoint, true ); - nType = ImplGetUI16( 4 ); - nSize = ImplGetUI( 1 ); + sal_uInt32 nType = ImplGetUI16(4); + sal_uInt32 nSize = ImplGetUI(1); + + if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize) + throw css::uno::Exception("attempt to read past end of input", nullptr); mpSource[ mnParaSize + nSize ] = 0; @@ -234,10 +239,12 @@ void CGM::ImplDoClass4() case 0x06 : /*Append Text*/ { - sal_uInt32 nSize; sal_uInt32 nType = ImplGetUI16( 4 ); + sal_uInt32 nSize = ImplGetUI( 1 ); + + if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize) + throw css::uno::Exception("attempt to read past end of input", nullptr); - nSize = ImplGetUI( 1 ); mpSource[ mnParaSize + nSize ] = 0; mpOutAct->AppendText( reinterpret_cast<char*>(mpSource) + mnParaSize, nSize, (FinalFlag)nType ); |