lotuswordpro/source/filter/lwpdrawobj.cxx | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-)
New commits: commit 4d606a7a24f43ae81552b0c408a642ec8dbbb510 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Jan 26 11:57:13 2022 +0000 Commit: Thorsten Behrens <[email protected]> CommitDate: Thu Feb 3 16:39:19 2022 +0100 ofz#44080 throw exception on a negative length Change-Id: I3e2286cea69908fae3a2dd177d10fca2b7f0c877 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128956 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit af8709defeb90464c8724d3fe5fb8cbbf6efc2b8) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129414 Tested-by: Thorsten Behrens <[email protected]> Reviewed-by: Thorsten Behrens <[email protected]> diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 163367e9f785..8baed94f135a 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -1092,6 +1092,9 @@ XFFrame* LwpDrawTextBox::CreateDrawObj(const OUString& rStyleName ) aEncoding = LwpCharSetMgr::GetTextCharEncoding(); } + if (TextLength < 2) + throw BadRead(); + XFParagraph* pXFPara = new XFParagraph(); pXFPara->Add(OUString(reinterpret_cast<char*>(m_aTextRec.pTextString), (TextLength-2), aEncoding)); pXFPara->SetStyleName(rStyleName); commit e59f2023230cbf6acab9249361e9d88d57d9f788 Author: Caolán McNamara <[email protected]> AuthorDate: Sun Jan 16 14:30:15 2022 +0000 Commit: Thorsten Behrens <[email protected]> CommitDate: Thu Feb 3 16:38:58 2022 +0100 ofz: Use-of-uninitialized-value Change-Id: Ib1c3b306573dda073f6ff3d7d0cc17aef39c0a0e Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128436 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 7607a7e45a1da570dda0a4b96c08405086a647b6) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129413 Tested-by: Thorsten Behrens <[email protected]> Reviewed-by: Thorsten Behrens <[email protected]> diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 98b5567037e1..163367e9f785 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -499,7 +499,7 @@ void LwpDrawPolyLine::Read() m_pStream->ReadUChar( m_aPolyLineRec.aPenColor.unused ); m_pStream->ReadUInt16( m_aPolyLineRec.nNumPoints ); - if (m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4) + if (!m_pStream->good() || m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4) throw BadRead(); m_pVector.reset( new SdwPoint[m_aPolyLineRec.nNumPoints] ); @@ -579,7 +579,7 @@ void LwpDrawPolygon::Read() ReadClosedObjStyle(); m_pStream->ReadUInt16( m_nNumPoints ); - if (m_nNumPoints > m_pStream->remainingSize() / 4) + if (!m_pStream->good() || m_nNumPoints > m_pStream->remainingSize() / 4) throw BadRead(); m_pVector.reset( new SdwPoint[m_nNumPoints] ); @@ -1043,6 +1043,9 @@ void LwpDrawTextBox::Read() m_pStream->ReadInt16( m_aTextRec.nTextRotation ); m_pStream->ReadInt16( m_aTextRec.nTextExtraSpacing ); + if (!m_pStream->good()) + throw BadRead(); + // some draw files in version 1.2 have an extra byte following '\0'. // can't rely on that, so read in the whole string into memory. @@ -1194,17 +1197,17 @@ void LwpDrawTextArt::Read() m_pStream->ReadInt16( m_aTextArtRec.nRotation ); sal_uInt16 nPointNumber; - sal_Int16 nX, nY; m_pStream->ReadUInt16( nPointNumber ); size_t nPoints = nPointNumber*3+1; - if (nPoints > m_pStream->remainingSize() / 4) + if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4) throw BadRead(); m_aTextArtRec.aPath[0].n = nPointNumber; m_aTextArtRec.aPath[0].pPts = new SdwPoint[nPoints]; for (size_t nPt = 0; nPt < nPoints; ++nPt) { + sal_Int16 nX, nY; m_pStream->ReadInt16( nX ); m_pStream->ReadInt16( nY ); m_aTextArtRec.aPath[0].pPts[nPt].x = nX; @@ -1214,13 +1217,14 @@ void LwpDrawTextArt::Read() m_pStream->ReadUInt16( nPointNumber ); nPoints = nPointNumber*3+1; - if (nPoints > m_pStream->remainingSize() / 4) + if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4) throw BadRead(); m_aTextArtRec.aPath[1].n = nPointNumber; m_aTextArtRec.aPath[1].pPts = new SdwPoint[nPoints]; for (size_t nPt = 0; nPt < nPoints; ++nPt) { + sal_Int16 nX, nY; m_pStream->ReadInt16( nX ); m_pStream->ReadInt16( nY ); m_aTextArtRec.aPath[1].pPts[nPt].x = nX; @@ -1248,7 +1252,7 @@ void LwpDrawTextArt::Read() - (m_aTextArtRec.aPath[1].n*3 + 1)*4; - if (m_aTextArtRec.nTextLen > m_pStream->remainingSize()) + if (!m_pStream->good() || m_aTextArtRec.nTextLen > m_pStream->remainingSize()) throw BadRead(); m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen]; @@ -1386,7 +1390,7 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); - if (!IsValid(aInfoHeader2)) + if (!m_pStream->good() || !IsValid(aInfoHeader2)) throw BadRead(); N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; @@ -1406,7 +1410,7 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); - if (!IsValid(aInfoHeader2)) + if (!m_pStream->good() || !IsValid(aInfoHeader2)) throw BadRead(); N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
