metsw24-max opened a new pull request, #1113: URL: https://github.com/apache/poi/pull/1113
**Unbounded dash array in EmfExtCreatePen** NumStyleEntries is read straight from the EMR_EXTCREATEPEN record and used as the length of the dash-pattern array with no cap, so a crafted metafile allocates an arbitrary float array, and a high-bit value goes negative once narrowed by the (int) cast. I added the same safelyAllocateCheck the sibling pen and poly decoders already use, so an oversize count raises RecordFormatException like the rest of the record. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
