ofz#14469 null deref

since... commit af84fc9d906626255aaf136eefc5e55236e0e8a6 Date: Tue Apr 23 15:48:41 2019 +0200 lazy image loading shouldn't read the entire .xls file (tdf#124828) nLength is just an unchecked value in the dff stream, it might not be sane so limit it to the max len of the stream Change-Id: Ia8a2830478952afe1317b5cd795f35059d9b380a Reviewed-on: https://gerrit.libreoffice.org/71412 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2019-04-27 11:52:11 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2019-04-27 15:32:45 +0200
commit: 9c9acc9e6ac1a085232242138510cc7d711e9922 (patch)
tree: 067381649504dd02df0935cc63314d406254164c /vcl
parent: 571c233dff5afc22b0428fbd89a8cce0a0abf015 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/vcl/source/filter/graphicfilter.cxx b/vcl/source/filter/graphicfilter.cxx
index 10a4559a8db4..7a0cb0f6412c 100644
--- a/vcl/source/filter/graphicfilter.cxx
+++ b/vcl/source/filter/graphicfilter.cxx
@@ -1442,7 +1442,9 @@ Graphic GraphicFilter::ImportUnloadedGraphic(SvStream& rIStream, sal_uInt64 size
     ErrCode nStatus = ImpTestOrFindFormat("", rIStream, nFormat);
 
     rIStream.Seek(nStreamBegin);
-    const sal_uInt32 nStreamLength( sizeLimit ? sizeLimit : rIStream.remainingSize());
+    sal_uInt32 nStreamLength(rIStream.remainingSize());
+    if (sizeLimit && sizeLimit < nStreamLength)
+        nStreamLength = sizeLimit;
 
     OUString aFilterName = pConfig->GetImportFilterName(nFormat);
     OUString aExternalFilterName = pConfig->GetExternalFilterName(nFormat, false);
author	Caolán McNamara <caolanm@redhat.com>	2019-04-27 11:52:11 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2019-04-27 15:32:45 +0200
commit	9c9acc9e6ac1a085232242138510cc7d711e9922 (patch)
tree	067381649504dd02df0935cc63314d406254164c /vcl
parent	571c233dff5afc22b0428fbd89a8cce0a0abf015 (diff)