ofz#7165 set a recursion limit for svm in svm

Change-Id: Id9089986012588690b6d5e33cd71d094ef2357dd Reviewed-on: https://gerrit.libreoffice.org/51983 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
author: Caolán McNamara <caolanm@redhat.com> 2018-03-28 08:53:20 +0100
committer: Michael Stahl <Michael.Stahl@cib.de> 2018-04-04 16:49:40 +0200
commit: 2e82188ff824f9d9f1cf7161f882ff7f3d227e7f (patch)
tree: f9cde6573acb34b4d51f2afc9e7aa39431ef92b0 /vcl
parent: e0f2887736aebf1244dc85ae7e05e65e1e3fb988 (diff)
3 files changed, 38 insertions, 6 deletions
diff --git a/vcl/qa/cppunit/graphicfilter/data/svm/fail/ofz7165-1.svm b/vcl/qa/cppunit/graphicfilter/data/svm/fail/ofz7165-1.svm
new file mode 100644
index 000000000000..ad722ea13a6c
--- /dev/null
+++ b/vcl/qa/cppunit/graphicfilter/data/svm/fail/ofz7165-1.svm
diff --git a/vcl/source/gdi/gdimtf.cxx b/vcl/source/gdi/gdimtf.cxx
index a9c24b8c4843..9fbeb487908a 100644
--- a/vcl/source/gdi/gdimtf.cxx
+++ b/vcl/source/gdi/gdimtf.cxx
@@ -2666,7 +2666,31 @@ sal_uLong GDIMetaFile::GetSizeBytes() const
     return nSizeBytes;
 }
 
-SvStream& ReadGDIMetaFile( SvStream& rIStm, GDIMetaFile& rGDIMetaFile )
+namespace
+{
+    class DepthGuard
+    {
+    private:
+        ImplMetaReadData& m_rData;
+        rtl_TextEncoding m_eOrigCharSet;
+    public:
+        DepthGuard(ImplMetaReadData& rData, SvStream& rIStm)
+            : m_rData(rData)
+            , m_eOrigCharSet(m_rData.meActualCharSet)
+        {
+            ++m_rData.mnParseDepth;
+            m_rData.meActualCharSet = rIStm.GetStreamCharSet();
+        }
+        bool TooDeep() const { return m_rData.mnParseDepth > 1024; }
+        ~DepthGuard()
+        {
+            --m_rData.mnParseDepth;
+            m_rData.meActualCharSet = m_eOrigCharSet;
+        }
+    };
+}
+
+SvStream& ReadGDIMetaFile(SvStream& rIStm, GDIMetaFile& rGDIMetaFile, ImplMetaReadData* pData)
 {
     if (rIStm.GetError())
     {
@@ -2700,12 +2724,20 @@ SvStream& ReadGDIMetaFile( SvStream& rIStm, GDIMetaFile& rGDIMetaFile )
 
             pCompat.reset(); // destructor writes stuff into the header
 
-            ImplMetaReadData aReadData;
-            aReadData.meActualCharSet = rIStm.GetStreamCharSet();
+            std::unique_ptr<ImplMetaReadData> xReadData;
+            if (!pData)
+            {
+                xReadData.reset(new ImplMetaReadData);
+                pData = xReadData.get();
+            }
+            DepthGuard aDepthGuard(*pData, rIStm);
+
+            if (aDepthGuard.TooDeep())
+                throw std::runtime_error("too much recursion");
 
             for( sal_uInt32 nAction = 0; ( nAction < nCount ) && !rIStm.eof(); nAction++ )
             {
-                MetaAction* pAction = MetaAction::ReadMetaAction( rIStm, &aReadData );
+                MetaAction* pAction = MetaAction::ReadMetaAction(rIStm, pData);
                 if( pAction )
                 {
                     if (pAction->GetType() == MetaActionType::COMMENT)
diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
index 31b7d5fa5da9..b4e9063c7010 100644
--- a/vcl/source/gdi/metaact.cxx
+++ b/vcl/source/gdi/metaact.cxx
@@ -3046,10 +3046,10 @@ void MetaFloatTransparentAction::Write( SvStream& rOStm, ImplMetaWriteData* pDat
     WriteGradient( rOStm, maGradient );
 }
 
-void MetaFloatTransparentAction::Read( SvStream& rIStm, ImplMetaReadData* )
+void MetaFloatTransparentAction::Read(SvStream& rIStm, ImplMetaReadData* pData)
 {
     VersionCompat aCompat(rIStm, StreamMode::READ);
-    ReadGDIMetaFile( rIStm, maMtf );
+    ReadGDIMetaFile(rIStm, maMtf, pData);
     ReadPair( rIStm, maPoint );
     ReadPair( rIStm, maSize );
     ReadGradient( rIStm, maGradient );
author	Caolán McNamara <caolanm@redhat.com>	2018-03-28 08:53:20 +0100
committer	Michael Stahl <Michael.Stahl@cib.de>	2018-04-04 16:49:40 +0200
commit	2e82188ff824f9d9f1cf7161f882ff7f3d227e7f (patch)
tree	f9cde6573acb34b4d51f2afc9e7aa39431ef92b0 /vcl
parent	e0f2887736aebf1244dc85ae7e05e65e1e3fb988 (diff)