vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf |binary vcl/source/filter/wmf/enhwmf.cxx | 4 +++- 2 files changed, 3 insertions(+), 1 deletion(-)
New commits: commit 5b8ec42cd7d09291c0662aacbaaa507eafda1ea4 Author: Caolán McNamara <caol...@redhat.com> Date: Mon Jul 13 20:44:16 2015 +0100 fix a third emf crash Change-Id: I3b5d0daf05e3272d2afa0da84ff0b1f8d5c965a4 (cherry picked from commit 173fd90387e8bb7f33c2608628f12c7f772f0277) Reviewed-on: https://gerrit.libreoffice.org/17023 Reviewed-by: David Tardon <dtar...@redhat.com> Tested-by: David Tardon <dtar...@redhat.com> diff --git a/vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf b/vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf new file mode 100644 index 0000000..92da5f0 Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/emf/fail/crash-3.emf differ diff --git a/vcl/source/filter/wmf/enhwmf.cxx b/vcl/source/filter/wmf/enhwmf.cxx index 553f871..63e4104 100644 --- a/vcl/source/filter/wmf/enhwmf.cxx +++ b/vcl/source/filter/wmf/enhwmf.cxx @@ -1425,7 +1425,9 @@ bool EnhWMFReader::ReadEnhWMF() DBG_ASSERT( ( nOptions & ( ETO_PDY | ETO_GLYPH_INDEX ) ) == 0, "SJ: ETO_PDY || ETO_GLYPH_INDEX in EMF" ); Point aPos( ptlReferenceX, ptlReferenceY ); - if ( nLen > 0 && nLen < static_cast<sal_Int32>( SAL_MAX_UINT32 / sizeof(sal_Int32) ) ) + bool bLenSane = nLen > 0 && nLen < static_cast<sal_Int32>( SAL_MAX_UINT32 / sizeof(sal_Int32) ); + bool bOffStringSane = nOffString <= nEndPos - nCurPos; + if (bLenSane && bOffStringSane) { if ( offDx && (( nCurPos + offDx + nLen * 4 ) <= nNextPos ) ) {
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits