[Libreoffice-commits] core.git: filter/source vcl/source

Tue, 13 Jun 2023 08:11:50 -0700 

 filter/source/svg/svgwriter.cxx     |    9 ++++++++-
 vcl/source/filter/svm/SvmReader.cxx |   11 ++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

New commits:
commit 0ea5dde060df7ef638fbd1f2efe6aa221033e69c
Author:     Caolán McNamara <[email protected]>
AuthorDate: Tue Jun 13 14:45:59 2023 +0100
Commit:     Caolán McNamara <[email protected]>
CommitDate: Tue Jun 13 17:11:24 2023 +0200

    cid#1532379 Untrusted loop bound
    
    and
    
    cid#1532378 Untrusted loop bound
    
    Change-Id: I06f9267f02a6f41559d617c1a43671d4a8234350
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152964
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <[email protected]>

diff --git a/filter/source/svg/svgwriter.cxx b/filter/source/svg/svgwriter.cxx
index bb9f39dd8d19..be95c89de895 100644
--- a/filter/source/svg/svgwriter.cxx
+++ b/filter/source/svg/svgwriter.cxx
@@ -3393,10 +3393,17 @@ void SVGActionWriter::ImplWriteActions( const 
GDIMetaFile& rMtf,
                         basegfx::BColorStops aColorStops;
                         SvMemoryStream aMemStm(const_cast<sal_uInt8 
*>(pA->GetData()), pA->GetDataSize(), StreamMode::READ);
                         VersionCompatRead aCompat(aMemStm);
-                        sal_uInt16 nTmp;
+                        sal_uInt16 nTmp(0);
                         double fOff, fR, fG, fB;
                         aMemStm.ReadUInt16( nTmp );
 
+                        const size_t nMaxPossibleEntries = 
aMemStm.remainingSize() / 4 * sizeof(double);
+                        if (nTmp > nMaxPossibleEntries)
+                        {
+                            SAL_WARN("filter.svg", "gradiant record claims to 
have: " << nTmp << " entries, but only " << nMaxPossibleEntries << " possible, 
clamping");
+                            nTmp = nMaxPossibleEntries;
+                        }
+
                         for (sal_uInt16 a(0); a < nTmp; a++)
                         {
                             aMemStm.ReadDouble(fOff);
diff --git a/vcl/source/filter/svm/SvmReader.cxx 
b/vcl/source/filter/svm/SvmReader.cxx
index 4ec9ec0a3d2e..20462b620da5 100644
--- a/vcl/source/filter/svm/SvmReader.cxx
+++ b/vcl/source/filter/svm/SvmReader.cxx
@@ -1340,10 +1340,19 @@ rtl::Reference<MetaAction> 
SvmReader::FloatTransparentHandler(ImplMetaReadData*
     if (aCompat.GetVersion() > 1)
     {
         basegfx::BColorStops aColorStops;
-        sal_uInt16 nTmp;
+        sal_uInt16 nTmp(0);
         double fOff, fR, fG, fB;
         mrStream.ReadUInt16(nTmp);
 
+        const size_t nMaxPossibleEntries = mrStream.remainingSize() / 4 * 
sizeof(double);
+        if (nTmp > nMaxPossibleEntries)
+        {
+            SAL_WARN("vcl.gdi", "gradiant record claims to have: " << nTmp << 
" entries, but only "
+                                                                   << 
nMaxPossibleEntries
+                                                                   << " 
possible, clamping");
+            nTmp = nMaxPossibleEntries;
+        }
+
         for (sal_uInt16 a(0); a < nTmp; a++)
         {
             mrStream.ReadDouble(fOff);

Reply via email to