filter/source/graphicfilter/ieps/ieps.cxx | 88 +++++++++++++++++------------- include/sal/log-areas.dox | 1 2 files changed, 52 insertions(+), 37 deletions(-)
New commits: commit 390c730b460054ec41e0ab1b807ea0c2bba4ecbd Author: Caolán McNamara <[email protected]> Date: Thu Jan 26 16:01:57 2017 +0000 ofz: tidy up eps preview import a) check that the remaining stream length is >= the 14 bytes that are unconditionally skipped b) make the initial security count the min of the arbitrary 100 and the remaining stream len less that 14 bytes c) tweak ImplGetNumber not to reduce nSecurityCount if its already 0 (cherry picked from commit 94ffb720b889c51665ebb789d84aee3b3bacb456) ofz: check eps seeks are sane and succeeded (cherry picked from commit f85fb724d52a0fff9c64365cd202ae8975492c05) ofz: check if the stream is able to meet the eps len claim before reading (cherry picked from commit e17a34e957c21a8cd2977b1b0e1c9a427c244aed) ofz: check if the stream is able to meet the eps len claim before reading (cherry picked from commit d1f31681623696e99b0bd9e98570cb1ebac518cc) make this a little more readable (cherry picked from commit cf06348d9d4be8b8460d202cebf0d995fd4f6abf) move deref inside (laughable) nSecurityCount check (cherry picked from commit 521723b1180a32c02a88ed47137d4242c06eaca7) Change-Id: Ifffa6d02d492affd578fb48007704457ad635b39 0eb45e1c1ffd91682ed0ce6a6a74eab54666d715 65407bffb67449e203b8ead23554a4e88387d214 440c7f38d6588c570a411f2a97c0164e5d7d646f 83b6b0bd636b639ce0892f22f216410ce79dee03 df9a83ffa80137967d8c77d7a9b5133529fc2858 Reviewed-on: https://gerrit.libreoffice.org/33635 Tested-by: Jenkins <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> diff --git a/filter/source/graphicfilter/ieps/ieps.cxx b/filter/source/graphicfilter/ieps/ieps.cxx index ef132bb..a62c15a 100644 --- a/filter/source/graphicfilter/ieps/ieps.cxx +++ b/filter/source/graphicfilter/ieps/ieps.cxx @@ -69,17 +69,19 @@ static sal_uInt8* ImplSearchEntry( sal_uInt8* pSource, sal_uInt8 const * pDest, // SecurityCount is the buffersize of the buffer in which we will parse for a number -static long ImplGetNumber( sal_uInt8 **pBuf, sal_uInt32& nSecurityCount ) +static long ImplGetNumber(sal_uInt8* &rBuf, sal_uInt32& nSecurityCount) { bool bValid = true; bool bNegative = false; long nRetValue = 0; - while ( ( --nSecurityCount ) && ( ( **pBuf == ' ' ) || ( **pBuf == 0x9 ) ) ) - (*pBuf)++; - sal_uInt8 nByte = **pBuf; - while ( nSecurityCount && ( nByte != ' ' ) && ( nByte != 0x9 ) && ( nByte != 0xd ) && ( nByte != 0xa ) ) + while (nSecurityCount && (*rBuf == ' ' || *rBuf == 0x9)) { - switch ( nByte ) + ++rBuf; + --nSecurityCount; + } + while ( nSecurityCount && ( *rBuf != ' ' ) && ( *rBuf != 0x9 ) && ( *rBuf != 0xd ) && ( *rBuf != 0xa ) ) + { + switch ( *rBuf ) { case '.' : // we'll only use the integer format @@ -89,17 +91,17 @@ static long ImplGetNumber( sal_uInt8 **pBuf, sal_uInt32& nSecurityCount ) bNegative = true; break; default : - if ( ( nByte < '0' ) || ( nByte > '9' ) ) + if ( ( *rBuf < '0' ) || ( *rBuf > '9' ) ) nSecurityCount = 1; // error parsing the bounding box values else if ( bValid ) { nRetValue *= 10; - nRetValue += nByte - '0'; + nRetValue += *rBuf - '0'; } break; } nSecurityCount--; - nByte = *(++(*pBuf)); + ++rBuf; } if ( bNegative ) nRetValue = -nRetValue; @@ -399,6 +401,15 @@ static bool RenderAsBMP(const sal_uInt8* pBuf, sal_uInt32 nBytesRead, Graphic &r return RenderAsBMPThroughConvert(pBuf, nBytesRead, rGraphic); } +namespace +{ + bool checkSeek(SvStream &rSt, sal_uInt32 nOffset) + { + const sal_uInt64 nMaxSeek(rSt.Tell() + rSt.remainingSize()); + return (nOffset <= nMaxSeek && rSt.Seek(nOffset) == nOffset); + } +} + // this method adds a replacement action containing the original wmf or tiff replacement, // so the original eps can be written when storing to ODF. void CreateMtfReplacementAction( GDIMetaFile& rMtf, SvStream& rStrm, sal_uInt32 nOrigPos, sal_uInt32 nPSSize, @@ -416,19 +427,17 @@ void CreateMtfReplacementAction( GDIMetaFile& rMtf, SvStream& rStrm, sal_uInt32 aReplacement.WriteUInt32( nMagic ).WriteUInt32( nPPos ).WriteUInt32( nPSSize ) .WriteUInt32( nWPos ).WriteUInt32( nSizeWMF ) .WriteUInt32( nTPos ).WriteUInt32( nSizeTIFF ); - if ( nSizeWMF ) + if (nSizeWMF && checkSeek(rStrm, nOrigPos + nPosWMF) && rStrm.remainingSize() >= nSizeWMF) { std::unique_ptr<sal_uInt8[]> pBuf(new sal_uInt8[ nSizeWMF ]); - rStrm.Seek( nOrigPos + nPosWMF ); - rStrm.Read( pBuf.get(), nSizeWMF ); - aReplacement.Write( pBuf.get(), nSizeWMF ); + rStrm.Read(pBuf.get(), nSizeWMF); + aReplacement.Write(pBuf.get(), nSizeWMF); } - if ( nSizeTIFF ) + if (nSizeTIFF && checkSeek(rStrm, nOrigPos + nPosTIFF) && rStrm.remainingSize() >= nSizeTIFF) { std::unique_ptr<sal_uInt8[]> pBuf(new sal_uInt8[ nSizeTIFF ]); - rStrm.Seek( nOrigPos + nPosTIFF ); - rStrm.Read( pBuf.get(), nSizeTIFF ); - aReplacement.Write( pBuf.get(), nSizeTIFF ); + rStrm.Read(pBuf.get(), nSizeTIFF); + aReplacement.Write(pBuf.get(), nSizeTIFF); } rMtf.AddAction( static_cast<MetaAction*>( new MetaCommentAction( aComment, 0, static_cast<const sal_uInt8*>(aReplacement.GetData()), aReplacement.Tell() ) ) ); } @@ -504,7 +513,7 @@ void MakePreview(sal_uInt8* pBuf, sal_uInt32 nBytesRead, { pDest += 16; sal_uInt32 nCount = 4; - long nNumber = ImplGetNumber( &pDest, nCount ); + long nNumber = ImplGetNumber(pDest, nCount); if ( nCount && ( (sal_uInt32)nNumber < 10 ) ) { aString += " LanguageLevel:" + OUString::number( nNumber ); @@ -519,7 +528,6 @@ void MakePreview(sal_uInt8* pBuf, sal_uInt32 nBytesRead, rGraphic = aMtf; } - //================== GraphicImport - the exported function ================ @@ -532,7 +540,7 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) Graphic aGraphic; bool bRetValue = false; bool bHasPreview = false; - sal_uInt32 nSignature, nPSStreamPos, nPSSize; + sal_uInt32 nSignature = 0, nPSStreamPos, nPSSize = 0; sal_uInt32 nSizeWMF = 0; sal_uInt32 nPosWMF = 0; sal_uInt32 nSizeTIFF = 0; @@ -549,10 +557,9 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) if ( nSizeWMF ) { - if ( nPosWMF != 0 ) + if (nPosWMF && checkSeek(rStream, nOrigPos + nPosWMF)) { - rStream.Seek( nOrigPos + nPosWMF ); - if ( GraphicConverter::Import( rStream, aGraphic, ConvertDataFormat::WMF ) == ERRCODE_NONE ) + if (GraphicConverter::Import(rStream, aGraphic, ConvertDataFormat::WMF) == ERRCODE_NONE) bHasPreview = bRetValue = true; } } @@ -562,9 +569,8 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) // else we have to get the tiff grafix - if ( nPosTIFF && nSizeTIFF ) + if (nPosTIFF && nSizeTIFF && checkSeek(rStream, nOrigPos + nPosTIFF)) { - rStream.Seek( nOrigPos + nPosTIFF ); if ( GraphicConverter::Import( rStream, aGraphic, ConvertDataFormat::TIF ) == ERRCODE_NONE ) { MakeAsMeta(aGraphic); @@ -579,13 +585,20 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) nPSStreamPos = nOrigPos; // no preview available _>so we must get the size manually nPSSize = rStream.Seek( STREAM_SEEK_TO_END ) - nOrigPos; } + std::unique_ptr<sal_uInt8[]> pHeader( new sal_uInt8[ 22 ] ); rStream.Seek( nPSStreamPos ); - rStream.Read( pHeader.get(), 22 ); // check PostScript header - if ( ImplSearchEntry( pHeader.get(), reinterpret_cast<sal_uInt8 const *>("%!PS-Adobe"), 10, 10 ) && - ImplSearchEntry( &pHeader[ 15 ], reinterpret_cast<sal_uInt8 const *>("EPS"), 3, 3 ) ) + rStream.Read(pHeader.get(), 22); // check PostScript header + bool bOk = ImplSearchEntry(pHeader.get(), reinterpret_cast<sal_uInt8 const *>("%!PS-Adobe"), 10, 10) && + ImplSearchEntry(&pHeader[ 15 ], reinterpret_cast<sal_uInt8 const *>("EPS"), 3, 3); + if (bOk) + { + rStream.Seek(nPSStreamPos); + bOk = rStream.remainingSize() >= nPSSize; + SAL_WARN_IF(!bOk, "filter.eps", "eps claims to be: " << nPSSize << " in size, but only " << rStream.remainingSize() << " remains"); + } + if (bOk) { - rStream.Seek( nPSStreamPos ); std::unique_ptr<sal_uInt8[]> pBuf( new sal_uInt8[ nPSSize ] ); sal_uInt32 nBufStartPos = rStream.Tell(); @@ -601,10 +614,10 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) if ( pDest ) { pDest += 15; - long nWidth = ImplGetNumber( &pDest, nSecurityCount ); - long nHeight = ImplGetNumber( &pDest, nSecurityCount ); - long nBitDepth = ImplGetNumber( &pDest, nSecurityCount ); - long nScanLines = ImplGetNumber( &pDest, nSecurityCount ); + long nWidth = ImplGetNumber(pDest, nSecurityCount); + long nHeight = ImplGetNumber(pDest, nSecurityCount); + long nBitDepth = ImplGetNumber(pDest, nSecurityCount); + long nScanLines = ImplGetNumber(pDest, nSecurityCount); pDest = ImplSearchEntry( pDest, reinterpret_cast<sal_uInt8 const *>("%"), 16, 1 ); // go to the first Scanline if ( nSecurityCount && pDest && nWidth && nHeight && ( ( nBitDepth == 1 ) || ( nBitDepth == 8 ) ) && nScanLines ) { @@ -698,15 +711,16 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) } sal_uInt8* pDest = ImplSearchEntry( pBuf.get(), reinterpret_cast<sal_uInt8 const *>("%%BoundingBox:"), nBytesRead, 14 ); - if ( pDest ) + sal_uInt32 nRemainingBytes = pDest ? (nBytesRead - (pDest - pBuf.get())) : 0; + if (nRemainingBytes >= 14) { - nSecurityCount = 100; + pDest += 14; + nSecurityCount = std::min<sal_uInt32>(nRemainingBytes - 14, 100); long nNumb[4]; nNumb[0] = nNumb[1] = nNumb[2] = nNumb[3] = 0; - pDest += 14; for ( int i = 0; ( i < 4 ) && nSecurityCount; i++ ) { - nNumb[ i ] = ImplGetNumber( &pDest, nSecurityCount ); + nNumb[ i ] = ImplGetNumber(pDest, nSecurityCount); } if ( nSecurityCount) { diff --git a/include/sal/log-areas.dox b/include/sal/log-areas.dox index 06da4f8..ad22ad7 100644 --- a/include/sal/log-areas.dox +++ b/include/sal/log-areas.dox @@ -198,6 +198,7 @@ certain functionality. @section Filter @li @c filter.config +@li @c filter.eps @li @c filter.ms - escher import/export @li @c filter.odfflatxml @li @c filter.os2met
_______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
