vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf |binary vcl/source/filter/wmf/winwmf.cxx | 10 +++++++--- 2 files changed, 7 insertions(+), 3 deletions(-)
New commits: commit dcc1159192182f76891625c96b1edc601d4193f8 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Jul 10 08:40:42 2015 +0100 avoid endless loop with busted wmf Change-Id: I104de360f2e861e959ad2dad434a768440877f6f (cherry picked from commit fd2749455fe25e24b448a44f9ada6113e5ac0d13) Reviewed-on: https://gerrit.libreoffice.org/16914 Reviewed-by: Michael Meeks <michael.me...@collabora.com> Tested-by: Michael Meeks <michael.me...@collabora.com> (cherry picked from commit 55486cf648813bc0c46eaf0df2f0544a5d57ccb2) Reviewed-on: https://gerrit.libreoffice.org/16993 Reviewed-by: David Tardon <dtar...@redhat.com> Reviewed-by: Eike Rathke <er...@redhat.com> Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> diff --git a/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf new file mode 100644 index 0000000..7ba05cb Binary files /dev/null and b/vcl/qa/cppunit/graphicfilter/data/wmf/fail/hang-1.wmf differ diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx index c7d1315..5e25949 100644 --- a/vcl/source/filter/wmf/winwmf.cxx +++ b/vcl/source/filter/wmf/winwmf.cxx @@ -1394,9 +1394,13 @@ void WMFReader::ReadWMF() } } } - nPos += nRecSize * 2; - if ( nPos <= nEndPos ) - pWMF->Seek( nPos ); + const sal_uInt32 nAvailableBytes = nEndPos - nPos; + const sal_uInt32 nMaxPossibleRecordSize = nAvailableBytes/2; + if (nRecSize <= nMaxPossibleRecordSize) + { + nPos += nRecSize * 2; + pWMF->Seek(nPos); + } else pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR ); }
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits