[Libreoffice-commits] core.git: vcl/source

Wed, 23 Mar 2022 05:36:44 -0700 

 vcl/source/gdi/lineinfo.cxx |   21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

New commits:
commit 3f25abc0cd2d2f6da828b030a191b6787a682a51
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Wed Mar 23 10:35:02 2022 +0000
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Wed Mar 23 13:36:00 2022 +0100

    ofz#45583 Integer-overflow
    
    don't allow massive doubles to be loaded
    
    Change-Id: Ib7fddd40728a05358adddddf6b1ddc417b36872a
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131968
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/vcl/source/gdi/lineinfo.cxx b/vcl/source/gdi/lineinfo.cxx
index 85e7c041943e..1267623c0f19 100644
--- a/vcl/source/gdi/lineinfo.cxx
+++ b/vcl/source/gdi/lineinfo.cxx
@@ -17,6 +17,7 @@
  *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
  */
 
+#include <sal/log.hxx>
 #include <tools/stream.hxx>
 #include <tools/vcompat.hxx>
 #include <vcl/lineinfo.hxx>
@@ -126,6 +127,18 @@ bool LineInfo::IsDefault() const
         && ( css::drawing::LineCap_BUTT == mpImplLineInfo->meLineCap));
 }
 
+static void ReadLimitedDouble(SvStream& rIStm, double &fDest)
+{
+    double fTmp(0.0);
+    rIStm.ReadDouble(fTmp);
+    if (fTmp < std::numeric_limits<sal_Int32>::min() || fTmp > 
std::numeric_limits<sal_Int32>::max())
+    {
+        SAL_WARN("vcl", "Parsing error: double too large: " << fTmp);
+        return;
+    }
+    fDest = fTmp;
+}
+
 SvStream& ReadLineInfo( SvStream& rIStm, LineInfo& rLineInfo )
 {
     VersionCompatRead aCompat( rIStm );
@@ -165,10 +178,10 @@ SvStream& ReadLineInfo( SvStream& rIStm, LineInfo& 
rLineInfo )
     if( aCompat.GetVersion() >= 5 )
     {
         // version 5
-        rIStm.ReadDouble( rLineInfo.mpImplLineInfo->mnWidth );
-        rIStm.ReadDouble( rLineInfo.mpImplLineInfo->mnDashLen );
-        rIStm.ReadDouble( rLineInfo.mpImplLineInfo->mnDotLen );
-        rIStm.ReadDouble( rLineInfo.mpImplLineInfo->mnDistance );
+        ReadLimitedDouble(rIStm, rLineInfo.mpImplLineInfo->mnWidth);
+        ReadLimitedDouble(rIStm, rLineInfo.mpImplLineInfo->mnDashLen);
+        ReadLimitedDouble(rIStm, rLineInfo.mpImplLineInfo->mnDotLen);
+        ReadLimitedDouble(rIStm, rLineInfo.mpImplLineInfo->mnDistance);
     }
 
     return rIStm;

Reply via email to