WMF record size < 3 is clearly broken

...so we should not attempt to (mis-)interpret such broken input.

Change-Id: I97f4f46fdfc0dfe6f9aff42917d23634b844c7f0

3 files changed, 12 insertions, 6 deletions

diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1238-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1238-1.wmf
index 10da32742570..10da32742570 100644
--- a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1238-1.wmf
+++ b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1238-1.wmf
diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1245-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1245-1.wmf
index 10da32742570..10da32742570 100644
--- a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1245-1.wmf
+++ b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/CVE-2007-1245-1.wmf
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index 4c2c95c04b42..8079263ded4f 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -1377,13 +1377,19 @@ bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pStm )
         {
             pStm->ReadUInt32( nRSize ).ReadUInt16( nFunction );
 
-            if( pStm->GetError() || ( nRSize < 3 ) || ( nRSize==3 && nFunction==0 ) || pStm->IsEof() )
+            if( pStm->GetError() )
             {
-                if( pStm->IsEof() )
-                {
-                    pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
-                    bRet = false;
-                }
+                bRet = false;
+                break;
+            }
+            else if ( nRSize==3 && nFunction==0 )
+            {
+                break;
+            }
+            else if ( nRSize < 3 || pStm->IsEof() )
+            {
+                pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
+                bRet = false;
                 break;
             }
             switch( nFunction )