vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf |binary vcl/source/filter/wmf/enhwmf.cxx | 7 ++++--- 2 files changed, 4 insertions(+), 3 deletions(-)
New commits: commit aff9057c35827ec7a6219b1c752f7525db64cdca Author: Caolán McNamara <[email protected]> Date: Wed Aug 12 16:30:21 2015 +0100 another avoid endless loop with busted wmf Change-Id: Ie4068fdc1e54e0ad3e55354938a4c5e1459e7fe0 (cherry picked from commit 7ffe6aebb44ed3f7b5fd1ffe3ccfccf0f61984b3) Reviewed-on: https://gerrit.libreoffice.org/17682 Tested-by: Jenkins <[email protected]> Reviewed-by: David Tardon <[email protected]> diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf new file mode 100644 index 0000000..f8f1538 Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-2.wmf differ diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx index c20ab5f..8b92f54 100644 --- a/vcl/source/filter/wmf/enhwmf.cxx +++ b/vcl/source/filter/wmf/enhwmf.cxx @@ -637,14 +637,15 @@ bool EnhWMFReader::ReadEnhWMF() break; } - nNextPos = pWMF->Tell() + ( nRecSize - 8 ); - - if ( !pWMF->good() || nNextPos > nEndPos ) + const sal_uInt32 nMaxPossibleRecSize = nEndPos - pWMF->Tell() + 8; + if (nRecSize > nMaxPossibleRecSize) { bStatus = false; break; } + nNextPos = pWMF->Tell() + ( nRecSize - 8 ); + if( !aBmpSaveList.empty() && ( nRecType != EMR_STRETCHBLT ) && ( nRecType != EMR_STRETCHDIBITS )
_______________________________________________ Libreoffice-commits mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
