vcl/source/filter/ipict/ipict.cxx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit facbf9d86aa76ac6292ff3725f2d1e9592eac385
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Dec 9 09:25:38 2021 +0000
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Thu Dec 9 13:10:50 2021 +0100
ofz#42082 OOM with embedded pict in ww6 document
Change-Id: I2772e55c20d4f38d26bfe36250f4fd281d4713d6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126576
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/vcl/source/filter/ipict/ipict.cxx
b/vcl/source/filter/ipict/ipict.cxx
index 148de01d4edd..0f8fd5ba0c3a 100644
--- a/vcl/source/filter/ipict/ipict.cxx
+++ b/vcl/source/filter/ipict/ipict.cxx
@@ -1146,7 +1146,7 @@ void PictReader::ReadHeader()
char sBuf[ 2 ];
// previous code considers pPict->Tell() as the normal starting position,
- // can we have nStartPos != 0 ?
+ // nStartPos can be != 0 f.e. a pict embedded in a microsoft word document
sal_uInt64 nStartPos = pPict->Tell();
// Standard:
// a picture file begins by 512 bytes (reserved to the application)
followed by the picture data
@@ -1184,7 +1184,7 @@ void PictReader::ReadHeader()
nOffset = nStartPos+actPos*512;
}
else {
- nOffset = 509+st; // illogical : more logical will be
nStartPos+509+st or to consider that nStartPos=0
+ nOffset = nStartPos+509+st;
// a small test to check if versionOp code exists after the bdbox (
with no extra NOP codes)
pPict->Seek(nOffset+10);
pPict->ReadBytes(sBuf, 2);
