Author: damjan
Date: Sun Oct 22 16:47:12 2017
New Revision: 1812930
URL: http://svn.apache.org/viewvc?rev=1812930&view=rev
Log:
Fix OSS-Fuzz issues #414, #415 and #416, which crash AOO due to
number parsing errors, lack of checking for negative length in arrays,
and the lack of memory that these problems eventually cause.
Patch by: me
Modified:
openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfentrd.cxx
openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfgrprd.cxx
Modified: openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfentrd.cxx
URL:
http://svn.apache.org/viewvc/openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfentrd.cxx?rev=1812930&r1=1812929&r2=1812930&view=diff
==============================================================================
--- openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfentrd.cxx
(original)
+++ openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfentrd.cxx Sun Oct
22 16:47:12 2017
@@ -433,8 +433,19 @@ void DXFLWPolyLineEntity::EvaluateGroup(
case 90 :
{
nCount = rDGR.GetI();
- if ( nCount )
- pP = new DXFVector[ nCount ];
+ if ( rDGR.GetStatus() && nCount >= 0 )
+ {
+ try
+ {
+ pP = new DXFVector[ nCount ];
+ }
+ catch (::std::bad_alloc)
+ {
+ rDGR.SetError();
+ }
+ }
+ else
+ rDGR.SetError();
}
break;
case 70: nFlags = rDGR.GetI(); break;
@@ -611,8 +622,19 @@ sal_Bool DXFBoundaryPathData::EvaluateGr
case 93 :
{
nPointCount = rDGR.GetI();
- if ( nPointCount )
- pP = new DXFVector[ nPointCount ];
+ if ( rDGR.GetStatus() && nPointCount >= 0 )
+ {
+ try
+ {
+ pP = new DXFVector[ nPointCount
];
+ }
+ catch (::std::bad_alloc)
+ {
+ rDGR.SetError();
+ }
+ }
+ else
+ rDGR.SetError();
}
break;
case 72 : nHasBulgeFlag = rDGR.GetI(); break;
@@ -690,8 +712,19 @@ void DXFHatchEntity::EvaluateGroup( DXFG
{
bIsInBoundaryPathContext = sal_True;
nBoundaryPathCount = rDGR.GetI();
- if ( nBoundaryPathCount )
- pBoundaryPathData = new DXFBoundaryPathData[
nBoundaryPathCount ];
+ if ( rDGR.GetStatus() && nBoundaryPathCount >= 0 )
+ {
+ try
+ {
+ pBoundaryPathData = new
DXFBoundaryPathData[ nBoundaryPathCount ];
+ }
+ catch (::std::bad_alloc)
+ {
+ rDGR.SetError();
+ }
+ }
+ else
+ rDGR.SetError();
}
break;
case 75 :
Modified: openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfgrprd.cxx
URL:
http://svn.apache.org/viewvc/openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfgrprd.cxx?rev=1812930&r1=1812929&r2=1812930&view=diff
==============================================================================
--- openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfgrprd.cxx
(original)
+++ openoffice/trunk/main/filter/source/graphicfilter/idxf/dxfgrprd.cxx Sun Oct
22 16:47:12 2017
@@ -299,7 +299,6 @@ void DXFGroupReader::ReadLine(char * ptg
long DXFGroupReader::ReadI()
{
char sl[DXF_MAX_STRING_LEN+1],*p;
- long res,nv;
ReadLine(sl);
@@ -312,17 +311,23 @@ long DXFGroupReader::ReadI()
return 0;
}
+ char *start = p;
if (*p=='-') {
- nv=-1;
p++;
}
- else nv=1;
-
- res=0;
- do {
- res=res*10+(long)(*p-'0');
+ while (*p>='0' && *p<='9') {
p++;
- } while (*p>='0' && *p<='9');
+ }
+
+ char prev = *p;
+ *p = '\0';
+ char *end;
+ long res = strtol(start, &end, 10);
+ *p = prev;
+ if (end != p) {
+ bStatus=sal_False;
+ return 0;
+ }
while (*p==0x20) p++;
if (*p!=0) {
@@ -330,7 +335,7 @@ long DXFGroupReader::ReadI()
return 0;
}
- return res*nv;
+ return res;
}
