diff options
| -rw-r--r-- | basegfx/source/polygon/b2dtrapezoid.cxx | 4 | ||||
| -rw-r--r-- | drawinglayer/source/primitive2d/metafileprimitive2d.cxx | 12 | ||||
| -rw-r--r-- | editeng/source/misc/svxacorr.cxx | 2 | ||||
| -rw-r--r-- | filter/source/msfilter/svdfppt.cxx | 16 | ||||
| -rw-r--r-- | solenv/inc/minor.mk | 6 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8par.cxx | 9 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 17 | ||||
| -rwxr-xr-x | vcl/aqua/source/gdi/salatslayout.cxx | 5 | ||||
| -rw-r--r-- | vcl/source/gdi/metaact.cxx | 34 | ||||
| -rw-r--r-- | vcl/source/gdi/pdfwriter_impl.cxx | 9 | ||||
| -rw-r--r-- | vcl/source/gdi/pngread.cxx | 28 |
11 files changed, 100 insertions, 42 deletions
diff --git a/basegfx/source/polygon/b2dtrapezoid.cxx b/basegfx/source/polygon/b2dtrapezoid.cxx index c1e0f7f6c7c1..d89ec7c6cf73 100644 --- a/basegfx/source/polygon/b2dtrapezoid.cxx +++ b/basegfx/source/polygon/b2dtrapezoid.cxx @@ -798,6 +798,7 @@ namespace basegfx if(splitEdgeAtGivenPoint(aLeft, *pNewLeft, aCurrent)) { maNewPoints.push_back(pNewLeft); + bDone = true; } else { @@ -809,13 +810,12 @@ namespace basegfx if(splitEdgeAtGivenPoint(aRight, *pNewRight, aCurrent)) { maNewPoints.push_back(pNewRight); + bDone = true; } else { delete pNewRight; } - - bDone = true; } } diff --git a/drawinglayer/source/primitive2d/metafileprimitive2d.cxx b/drawinglayer/source/primitive2d/metafileprimitive2d.cxx index 0d57e566ef8a..73683884e2bd 100644 --- a/drawinglayer/source/primitive2d/metafileprimitive2d.cxx +++ b/drawinglayer/source/primitive2d/metafileprimitive2d.cxx @@ -248,9 +248,12 @@ namespace if(nPushFlags) { OSL_ENSURE(maPropertyHolders.size(), "PropertyHolders: PUSH with no property holders (!)"); - PropertyHolder* pNew = new PropertyHolder(*maPropertyHolders.back()); - pNew->setPushFlags(nPushFlags); - maPropertyHolders.push_back(pNew); + if ( !maPropertyHolders.empty() ) + { + PropertyHolder* pNew = new PropertyHolder(*maPropertyHolders.back()); + pNew->setPushFlags(nPushFlags); + maPropertyHolders.push_back(pNew); + } } } @@ -354,8 +357,9 @@ namespace PropertyHolder& Current() { + static PropertyHolder aDummy; OSL_ENSURE(maPropertyHolders.size(), "PropertyHolders: CURRENT with no property holders (!)"); - return *maPropertyHolders.back(); + return maPropertyHolders.empty() ? aDummy : *maPropertyHolders.back(); } ~PropertyHolders() diff --git a/editeng/source/misc/svxacorr.cxx b/editeng/source/misc/svxacorr.cxx index f969a8033f08..b7124881c90e 100644 --- a/editeng/source/misc/svxacorr.cxx +++ b/editeng/source/misc/svxacorr.cxx @@ -701,7 +701,7 @@ BOOL SvxAutoCorrect::FnAddNonBrkSpace( bRunNext = true; } } - else if ( cChar == '/' ) + else if ( cChar == '/' && nEndPos > 1 && rTxt.Len() > (nEndPos - 1) ) { // Remove the hardspace right before to avoid formatting URLs sal_Unicode cPrevChar = rTxt.GetChar( nEndPos - 1 ); diff --git a/filter/source/msfilter/svdfppt.cxx b/filter/source/msfilter/svdfppt.cxx index f334c86bbc5f..05f99aa36813 100644 --- a/filter/source/msfilter/svdfppt.cxx +++ b/filter/source/msfilter/svdfppt.cxx @@ -1468,12 +1468,16 @@ SdrPowerPointImport::SdrPowerPointImport( PowerPointImportParam& rParam, const S if ( bOk ) { - // PersistPtrs lesen (alle) - nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1; // 1 mehr, damit ich immer direkt indizieren kann - pPersistPtr = new UINT32[ nPersistPtrAnz ]; // (die fangen naemlich eigentlich bei 1 an) + nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1; + if ( ( nPersistPtrAnz >> 2 ) > nStreamLen ) // sj: at least nPersistPtrAnz is not allowed to be greater than filesize + bOk = FALSE; // (it should not be greater than the PPT_PST_PersistPtrIncrementalBlock, but + // we are reading this block later, so we do not have access yet) + + if ( bOk && ( nPersistPtrAnz < ( SAL_MAX_UINT32 / sizeof( UINT32 ) ) ) ) + pPersistPtr = new (std::nothrow) UINT32[ nPersistPtrAnz ]; if ( !pPersistPtr ) bOk = FALSE; - else + if ( bOk ) { memset( pPersistPtr, 0x00, nPersistPtrAnz * 4 ); @@ -5087,8 +5091,8 @@ void PPTStyleTextPropReader::ReadParaProps( SvStream& rIn, SdrPowerPointImport& rIn >> nCharCount >> aParaPropSet.pParaSet->mnDepth; // Einruecktiefe - aParaPropSet.pParaSet->mnDepth = - std::min(sal_uInt16(9), + aParaPropSet.pParaSet->mnDepth = // taking care of about using not more than 9 outliner levels + std::min(sal_uInt16(8), aParaPropSet.pParaSet->mnDepth); nCharCount--; diff --git a/solenv/inc/minor.mk b/solenv/inc/minor.mk index 6b224831e369..98281accfb44 100644 --- a/solenv/inc/minor.mk +++ b/solenv/inc/minor.mk @@ -1,5 +1,5 @@ RSCVERSION=330 -RSCREVISION=330m16(Build:9549) -BUILD=9549 -LAST_MINOR=m16 +RSCREVISION=330m17(Build:9551) +BUILD=9551 +LAST_MINOR=m17 SOURCEVERSION=OOO330 diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx index 24f36b047a4e..cd11631a0181 100644 --- a/sw/source/filter/ww8/ww8par.cxx +++ b/sw/source/filter/ww8/ww8par.cxx @@ -4919,7 +4919,14 @@ ULONG WW8Reader::Read(SwDoc &rDoc, const String& rBaseURL, SwPaM &rPam, const St } SwWW8ImplReader* pRdr = new SwWW8ImplReader(nVersion, pStg, pIn, rDoc, rBaseURL, bNew); - nRet = pRdr->LoadDoc( rPam ); + try + { + nRet = pRdr->LoadDoc( rPam ); + } + catch( const std::exception& ) + { + nRet = ERR_WW8_NO_WW8_FILE_ERR; + } delete pRdr; if( refStrm.Is() ) diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index d64e207313d8..171e45260818 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -892,11 +892,18 @@ void WW8SprmIter::SetSprms(const BYTE* pSprms_, long nLen_) const BYTE* WW8SprmIter::operator ++( int ) { - if (nRemLen > 0) + if (nRemLen > 0 ) { - pSprms += nAktSize; - nRemLen -= nAktSize; - UpdateMyMembers(); + if( nRemLen >= nAktSize ) + { + pSprms += nAktSize; + nRemLen -= nAktSize; + UpdateMyMembers(); + } + else + { + throw( ::std::exception() ); + } } return pSprms; } @@ -3247,6 +3254,8 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p) Otherwise our cool fastsave algorithm can be brought to bear on the problem. */ + if( !pPieceIter ) + return; ULONG nOldPos = pPieceIter->GetIdx(); bool bOk = pPieceIter->SeekPos(nOrigCp); pPieceIter->SetIdx( nOldPos ); diff --git a/vcl/aqua/source/gdi/salatslayout.cxx b/vcl/aqua/source/gdi/salatslayout.cxx index 335505de85ac..a355ff86d00e 100755 --- a/vcl/aqua/source/gdi/salatslayout.cxx +++ b/vcl/aqua/source/gdi/salatslayout.cxx @@ -754,9 +754,10 @@ int ATSLayout::GetTextBreak( long nMaxWidth, long nCharExtra, int nFactor ) cons // initial measurement of text break position UniCharArrayOffset nBreakPos = mnMinCharPos; const ATSUTextMeasurement nATSUMaxWidth = Vcl2Fixed( nPixelWidth ); + if( nATSUMaxWidth <= 0xFFFF ) // #i108584# avoid ATSU rejecting the parameter + return mnMinCharPos; // or do ATSUMaxWidth=0x10000; OSStatus eStatus = ATSUBreakLine( maATSULayout, mnMinCharPos, nATSUMaxWidth, false, &nBreakPos ); - if( (eStatus != noErr) && (eStatus != kATSULineBreakInWord) ) return STRING_LEN; @@ -781,7 +782,7 @@ int ATSLayout::GetTextBreak( long nMaxWidth, long nCharExtra, int nFactor ) cons if( eStatus != noErr ) return nBreakPos; const ATSUTextMeasurement nATSURemWidth = nATSUMaxWidth - (nRight - nLeft); - if( nATSURemWidth <= 0 ) + if( nATSURemWidth <= 0xFFFF ) // #i108584# avoid ATSU rejecting the parameter return nBreakPos; UniCharArrayOffset nBreakPosInWord = nBreakPos; eStatus = ATSUBreakLine( maATSULayout, nBreakPos, nATSURemWidth, false, &nBreakPosInWord ); diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx index 8c1545758c3b..79d875542509 100644 --- a/vcl/source/gdi/metaact.cxx +++ b/vcl/source/gdi/metaact.cxx @@ -1441,19 +1441,35 @@ void MetaTextArrayAction::Read( SvStream& rIStm, ImplMetaReadData* pData ) rIStm >> mnLen; rIStm >> nAryLen; + if ( mnIndex > mnLen ) + { + mnIndex = 0; + mpDXAry = 0; + return; + } + if( nAryLen ) { // #i9762#, #106172# Ensure that DX array is at least mnLen entries long - const ULONG nIntAryLen( Max(nAryLen, static_cast<sal_uInt32>(mnLen)) ); - mpDXAry = new sal_Int32[ nIntAryLen ]; - - ULONG i; - for( i = 0UL; i < nAryLen; i++ ) - rIStm >> mpDXAry[ i ]; + if ( mnLen >= nAryLen ) + { + mpDXAry = new (std::nothrow)sal_Int32[ mnLen ]; + if ( mpDXAry ) + { + ULONG i; + for( i = 0UL; i < nAryLen; i++ ) + rIStm >> mpDXAry[ i ]; - // #106172# setup remainder - for( ; i < nIntAryLen; i++ ) - mpDXAry[ i ] = 0; + // #106172# setup remainder + for( ; i < mnLen; i++ ) + mpDXAry[ i ] = 0; + } + } + else + { + mpDXAry = NULL; + return; + } } else mpDXAry = NULL; diff --git a/vcl/source/gdi/pdfwriter_impl.cxx b/vcl/source/gdi/pdfwriter_impl.cxx index 580161da8a4e..aa9f642f9fee 100644 --- a/vcl/source/gdi/pdfwriter_impl.cxx +++ b/vcl/source/gdi/pdfwriter_impl.cxx @@ -7398,7 +7398,14 @@ void PDFWriterImpl::drawLayout( SalLayout& rLayout, const String& rText, bool bT // try to handle ligatures and such if( i < nGlyphs-1 ) { - pUnicodesPerGlyph[i] = nChars = pCharPosAry[i+1] - pCharPosAry[i]; + nChars = pCharPosAry[i+1] - pCharPosAry[i]; + // #i115618# fix for simple RTL+CTL cases + // TODO: sanitize for RTL ligatures, more complex CTL, etc. + if( nChars < 0 ) + nChars = -nChars; + else if( nChars == 0 ) + nChars = 1; + pUnicodesPerGlyph[i] = nChars; for( int n = 1; n < nChars; n++ ) aUnicodes.push_back( rText.GetChar( sal::static_int_cast<xub_StrLen>(pCharPosAry[i]+n) ) ); } diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx index 11971db34378..df67c4974d47 100644 --- a/vcl/source/gdi/pngread.cxx +++ b/vcl/source/gdi/pngread.cxx @@ -411,7 +411,9 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint ) case PNGCHUNK_IDAT : { - if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes + if ( !mpInflateInBuf ) // taking care that the header has properly been read + mbStatus = FALSE; + else if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes ImplReadIDAT(); } break; @@ -527,7 +529,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) mbIDAT = mbAlphaChannel = mbTransparent = FALSE; mbGrayScale = mbRGBTriple = FALSE; mnTargetDepth = mnPngDepth; - mnScansize = ( ( maOrigSize.Width() * mnPngDepth ) + 7 ) >> 3; + sal_uInt64 nScansize64 = ( ( static_cast< sal_uInt64 >( maOrigSize.Width() ) * mnPngDepth ) + 7 ) >> 3; // valid color types are 0,2,3,4 & 6 switch ( mnColorType ) @@ -557,7 +559,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) case 2 : // each pixel is an RGB triple { mbRGBTriple = TRUE; - mnScansize *= 3; + nScansize64 *= 3; switch ( mnPngDepth ) { case 16 : // we have to reduce the bitmap @@ -590,7 +592,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) case 4 : // each pixel is a grayscale sample followed by an alpha sample { - mnScansize *= 2; + nScansize64 *= 2; mbAlphaChannel = TRUE; switch ( mnPngDepth ) { @@ -608,7 +610,7 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) case 6 : // each pixel is an RGB triple followed by an alpha sample { mbRGBTriple = TRUE; - mnScansize *= 4; + nScansize64 *= 4; mbAlphaChannel = TRUE; switch (mnPngDepth ) { @@ -626,16 +628,24 @@ BOOL PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint ) return FALSE; } - mnBPP = mnScansize / maOrigSize.Width(); + mnBPP = static_cast< sal_uInt32 >( nScansize64 / maOrigSize.Width() ); if ( !mnBPP ) mnBPP = 1; - mnScansize++; // each scanline includes one filterbyte + nScansize64++; // each scanline includes one filterbyte + + if ( nScansize64 > SAL_MAX_UINT32 ) + return FALSE; + + mnScansize = static_cast< sal_uInt32 >( nScansize64 ); // TODO: switch between both scanlines instead of copying - mpInflateInBuf = new BYTE[ mnScansize ]; + mpInflateInBuf = new (std::nothrow) BYTE[ mnScansize ]; mpScanCurrent = mpInflateInBuf; - mpScanPrior = new BYTE[ mnScansize ]; + mpScanPrior = new (std::nothrow) BYTE[ mnScansize ]; + + if ( !mpInflateInBuf || !mpScanPrior ) + return FALSE; // calculate target size from original size and the preview hint if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() ) |