[Libreoffice-commits] libcdr.git: 3 commits - src/lib

Fri, 19 Jan 2018 06:05:47 -0800 

 src/lib/CMXParser.cpp |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

New commits:
commit 6568138767bcb1fe88c6331389d1d2dc2757780a
Author: David Tardon <dtar...@redhat.com>
Date:   Fri Jan 19 13:38:24 2018 +0100

    ofz#3494 use correct tag offset for seek
    
    Change-Id: Ic0fc8fc9d10c2a0fb14fb5b0388ba8cfe5c68463

diff --git a/src/lib/CMXParser.cpp b/src/lib/CMXParser.cpp
index a10a643..14137e5 100644
--- a/src/lib/CMXParser.cpp
+++ b/src/lib/CMXParser.cpp
@@ -1373,11 +1373,11 @@ bool 
libcdr::CMXParser::readFill(librevenge::RVNGInputStream *input)
         {
         case CMX_Tag_RenderAttr_FillSpec_Texture:
         {
-          long subStartOffset = input->tell();
           unsigned char subTagId = 0;
           unsigned short subTagLength = 0;
           do
           {
+            long subStartOffset = input->tell();
             subTagId = readU8(input, m_bigEndian);
             if (subTagId == CMX_Tag_EndTag)
               break;
commit 9d1b9ec71a91fc8f3450c58937cd3fd76e6cb68e
Author: David Tardon <dtar...@redhat.com>
Date:   Fri Jan 19 13:19:39 2018 +0100

    fix seek to the next tag
    
    The old code would use the length of the _preceding_ tag to determine
    the offset of the next tag. At best, it would just read the first tag in
    the sequence twice (the initial length is 0, so after reading the first
    tag, it would seek back to it).
    
    Change-Id: Ic10a2246a02bd27832b1c6aa478e43f40a6ef9d3

diff --git a/src/lib/CMXParser.cpp b/src/lib/CMXParser.cpp
index 03287cb..a10a643 100644
--- a/src/lib/CMXParser.cpp
+++ b/src/lib/CMXParser.cpp
@@ -1652,7 +1652,7 @@ void 
libcdr::CMXParser::readJumpAbsolute(librevenge::RVNGInputStream *input)
     unsigned short tagLength = 0;
     do
     {
-      long endOffset = input->tell() + tagLength;
+      long offset = input->tell();
       tagId = readU8(input, m_bigEndian);
       if (tagId == CMX_Tag_EndTag)
       {
@@ -1668,7 +1668,7 @@ void 
libcdr::CMXParser::readJumpAbsolute(librevenge::RVNGInputStream *input)
       default:
         break;
       }
-      input->seek(endOffset, librevenge::RVNG_SEEK_SET);
+      input->seek(offset + tagLength, librevenge::RVNG_SEEK_SET);
     }
     while (tagId != CMX_Tag_EndTag);
   }
commit 8e60690a1e5e2c5eb3a644f093176f9ba9ac3293
Author: David Tardon <dtar...@redhat.com>
Date:   Fri Jan 19 13:02:58 2018 +0100

    ofz#5454 fix stack overflow
    
    Change-Id: I8db432d1338d50d36a60a6a85612088a5d65b359

diff --git a/src/lib/CMXParser.cpp b/src/lib/CMXParser.cpp
index 33aa40a..03287cb 100644
--- a/src/lib/CMXParser.cpp
+++ b/src/lib/CMXParser.cpp
@@ -123,6 +123,8 @@ bool 
libcdr::CMXParser::parseRecord(librevenge::RVNGInputStream *input, unsigned
 
     if (fourCC == CDR_FOURCC_RIFF || fourCC == CDR_FOURCC_RIFX || fourCC == 
CDR_FOURCC_LIST)
     {
+      if (length < 4)
+        return false;
 #ifdef DEBUG
       unsigned listType = readU32(input, m_bigEndian);
 #else
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to