src/lib/VSDParser.cpp | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-)
New commits: commit 85529f5490b7b5d8ec3e8231db3b5640bce58839 Author: David Tardon <dtar...@redhat.com> Date: Sat Oct 21 16:12:06 2017 +0200 be explicit Change-Id: I7b140fe35f32c96f51f21c67597a9e759cdca9e8 diff --git a/src/lib/VSDParser.cpp b/src/lib/VSDParser.cpp index c6a996e..7ec88ae 100644 --- a/src/lib/VSDParser.cpp +++ b/src/lib/VSDParser.cpp @@ -22,18 +22,6 @@ #include "VSDStylesCollector.h" #include "VSDMetaData.h" -namespace -{ - -void sanitizeListLength(uint32_t &length, const std::size_t elem, librevenge::RVNGInputStream *const input) -{ - const unsigned long maxLength = libvisio::getRemainingLength(input) / elem; - if (length > maxLength) - length = maxLength; -} - -} - libvisio::VSDParser::VSDParser(librevenge::RVNGInputStream *input, librevenge::RVNGDrawingInterface *painter, librevenge::RVNGInputStream *container) : m_input(input), m_painter(painter), m_container(container), m_header(), m_collector(nullptr), m_shapeList(), m_currentLevel(0), m_stencils(), m_currentStencil(nullptr), m_shape(), m_isStencilStarted(false), m_isInStyles(false), @@ -824,7 +812,8 @@ void libvisio::VSDParser::readNameIDX(librevenge::RVNGInputStream *input) { std::map<unsigned, VSDName> names; unsigned recordCount = readU32(input); - sanitizeListLength(recordCount, 13, input); + if (recordCount > getRemainingLength(input) / 13) + recordCount = getRemainingLength(input) / 13; for (unsigned i = 0; i < recordCount; ++i) { unsigned nameId = readU32(input); @@ -1629,7 +1618,8 @@ void libvisio::VSDParser::readShapeData(librevenge::RVNGInputStream *input) unsigned char xType = readU8(input); unsigned char yType = readU8(input); unsigned pointCount = readU32(input); - sanitizeListLength(pointCount, 16, input); + if (pointCount > getRemainingLength(input) / 16) + pointCount = getRemainingLength(input) / 16; for (unsigned i = 0; i < pointCount; i++) { @@ -1654,7 +1644,8 @@ void libvisio::VSDParser::readShapeData(librevenge::RVNGInputStream *input) unsigned char xType = readU8(input); unsigned char yType = readU8(input); unsigned pointCount = readU32(input); - sanitizeListLength(pointCount, 32, input); + if (pointCount > getRemainingLength(input) / 32) + pointCount = getRemainingLength(input) / 32; std::vector<double> knotVector; std::vector<std::pair<double, double> > controlPoints; commit a0694f22ddf9ba2fa8a33940ac4761d48b0eef46 Author: David Tardon <dtar...@redhat.com> Date: Sat Oct 21 16:08:53 2017 +0200 check length, not number of elements Regression since commit cf0303b0ca57d3f54aa50686d38aaa149c02d034 "oss-fuzz: avoid big allocations". Change-Id: Ib0520513469d1de8c00085d1a86b9885b67873da diff --git a/src/lib/VSDParser.cpp b/src/lib/VSDParser.cpp index 69d3d56..c6a996e 100644 --- a/src/lib/VSDParser.cpp +++ b/src/lib/VSDParser.cpp @@ -946,7 +946,8 @@ void libvisio::VSDParser::readGeomList(librevenge::RVNGInputStream *input) uint32_t childrenListLength = readU32(input); input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR); std::vector<unsigned> geometryOrder; - sanitizeListLength(childrenListLength, 4, input); + if (childrenListLength > getRemainingLength(input)) + childrenListLength = getRemainingLength(input); geometryOrder.reserve(childrenListLength / sizeof(uint32_t)); for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++) geometryOrder.push_back(readU32(input)); @@ -971,7 +972,8 @@ void libvisio::VSDParser::readCharList(librevenge::RVNGInputStream *input) uint32_t subHeaderLength = readU32(input); uint32_t childrenListLength = readU32(input); input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR); - sanitizeListLength(childrenListLength, 4, input); + if (childrenListLength > getRemainingLength(input)) + childrenListLength = getRemainingLength(input); std::vector<unsigned> characterOrder; characterOrder.reserve(childrenListLength / sizeof(uint32_t)); for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++) @@ -992,7 +994,8 @@ void libvisio::VSDParser::readParaList(librevenge::RVNGInputStream *input) uint32_t subHeaderLength = readU32(input); uint32_t childrenListLength = readU32(input); input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR); - sanitizeListLength(childrenListLength, 4, input); + if (childrenListLength > getRemainingLength(input)) + childrenListLength = getRemainingLength(input); std::vector<unsigned> paragraphOrder; paragraphOrder.reserve(childrenListLength / sizeof(uint32_t)); for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++) @@ -1017,7 +1020,8 @@ void libvisio::VSDParser::readTabsDataList(librevenge::RVNGInputStream *input) uint32_t subHeaderLength = readU32(input); uint32_t childrenListLength = readU32(input); input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR); - sanitizeListLength(childrenListLength, 4, input); + if (childrenListLength > getRemainingLength(input)) + childrenListLength = getRemainingLength(input); std::vector<unsigned> tabsOrder; tabsOrder.reserve(childrenListLength / sizeof(uint32_t)); for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++) @@ -1036,7 +1040,8 @@ void libvisio::VSDParser::readLayerList(librevenge::RVNGInputStream *input) uint32_t subHeaderLength = readU32(input); uint32_t childrenListLength = readU32(input); input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR); - sanitizeListLength(childrenListLength, 4, input); + if (childrenListLength > getRemainingLength(input)) + childrenListLength = getRemainingLength(input); std::vector<unsigned> layerOrder; layerOrder.reserve(childrenListLength / sizeof(uint32_t)); for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++) @@ -1210,7 +1215,8 @@ void libvisio::VSDParser::readShapeList(librevenge::RVNGInputStream *input) uint32_t subHeaderLength = readU32(input); uint32_t childrenListLength = readU32(input); input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR); - sanitizeListLength(childrenListLength, sizeof(uint32_t), input); + if (childrenListLength > getRemainingLength(input)) + childrenListLength = getRemainingLength(input); std::vector<unsigned> shapeOrder; shapeOrder.reserve(childrenListLength / sizeof(uint32_t)); for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++) @@ -1722,7 +1728,8 @@ void libvisio::VSDParser::readFieldList(librevenge::RVNGInputStream *input) uint32_t subHeaderLength = readU32(input); uint32_t childrenListLength = readU32(input); input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR); - sanitizeListLength(childrenListLength, sizeof(uint32_t), input); + if (childrenListLength > getRemainingLength(input)) + childrenListLength = getRemainingLength(input); std::vector<unsigned> fieldOrder; fieldOrder.reserve(childrenListLength / sizeof(uint32_t)); for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++) _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits