diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2012-08-08 21:39:50 +0100 |
|---|---|---|
| committer | Petr Mladek <pmladek@suse.cz> | 2012-08-15 17:20:13 +0200 |
| commit | b1420b1c50af6b75dd0b2da18ce77af6b180496d (patch) | |
| tree | 7f514ad8b92051ba491b02a17c1127fad346bb9b /svtools | |
| parent | 3fefa69d6d316b9e38f12e3d3eb1fdd5896513cd (diff) | |
validate polypolygon point counts
Change-Id: Ibf6bdf48e5855583f14cd2be36f1e4896a396d32
Signed-off-by: Michael Stahl <mstahl@redhat.com>
Diffstat (limited to 'svtools')
| -rw-r--r-- | svtools/source/filter/wmf/winwmf.cxx | 67 |
1 files changed, 61 insertions, 6 deletions
diff --git a/svtools/source/filter/wmf/winwmf.cxx b/svtools/source/filter/wmf/winwmf.cxx index d9daf2a7df3f..a568e3fb885f 100644 --- a/svtools/source/filter/wmf/winwmf.cxx +++ b/svtools/source/filter/wmf/winwmf.cxx @@ -28,6 +28,7 @@ #include "winmtf.hxx" +#include <boost/scoped_array.hpp> #include <vcl/gdimtf.hxx> #include <svtools/wmf.hxx> #include <rtl/crc.h> @@ -354,28 +355,55 @@ void WMFReader::ReadRecordParams( sal_uInt16 nFunc ) case W_META_POLYPOLYGON: { + bool bRecordOk = true; sal_uInt16 nPoly = 0; Point* pPtAry; // Number of polygons: *pWMF >> nPoly; // Number of points of each polygon. Determine total number of points - sal_uInt16* pnPoints = new sal_uInt16[ nPoly ]; + boost::scoped_array<sal_uInt16> xPolygonPointCounts(new sal_uInt16[nPoly]); + sal_uInt16* pnPoints = xPolygonPointCounts.get(); sal_uInt16 nPoints = 0; for(sal_uInt16 i = 0; i < nPoly; i++ ) { *pWMF >> pnPoints[i]; + + if (pnPoints[i] > SAL_MAX_UINT16 - nPoints) + { + bRecordOk = false; + break; + } + nPoints += pnPoints[i]; } + + SAL_WARN_IF(!bRecordOk, "svtools", "polypolygon record has more polygons that we can handle"); + + bRecordOk &= pWMF->good(); + + if (!bRecordOk) + { + pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR ); + break; + } + // Polygon points are: - pPtAry = new Point[nPoints]; + boost::scoped_array<Point> xPolygonPoints(new Point[nPoints]); + pPtAry = xPolygonPoints.get(); for (sal_uInt16 i = 0; i < nPoints; i++ ) pPtAry[ i ] = ReadPoint(); + bRecordOk &= pWMF->good(); + + if (!bRecordOk) + { + pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR ); + break; + } + // Produce PolyPolygon Actions PolyPolygon aPolyPoly( nPoly, pnPoints, pPtAry ); pOut->DrawPolyPolygon( aPolyPoly ); - delete[] pPtAry; - delete[] pnPoints; } break; @@ -1333,16 +1361,43 @@ sal_Bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pSt case W_META_POLYPOLYGON: { + bool bRecordOk = true; sal_uInt16 nPoly, nPoints = 0; *pStm >> nPoly; for(sal_uInt16 i = 0; i < nPoly; i++ ) { - sal_uInt16 nP; + sal_uInt16 nP = 0; *pStm >> nP; - nPoints = nPoints + nP; + if (nP > SAL_MAX_UINT16 - nPoints) + { + bRecordOk = false; + break; + } + nPoints += nP; } + + SAL_WARN_IF(!bRecordOk, "svtools", "polypolygon record has more polygons that we can handle"); + + bRecordOk &= pStm->good(); + + if (!bRecordOk) + { + pStm->SetError( SVSTREAM_FILEFORMAT_ERROR ); + bRet = sal_False; + break; + } + for (sal_uInt16 i = 0; i < nPoints; i++ ) GetWinExtMax( ReadPoint(), rPlaceableBound, nMapMode ); + + bRecordOk &= pStm->good(); + + if (!bRecordOk) + { + pStm->SetError( SVSTREAM_FILEFORMAT_ERROR ); + bRet = sal_False; + break; + } } break; |