src/lib/MSPUBParser.cpp | 3 +++
1 file changed, 3 insertions(+)
New commits:
commit 9960782d8f973afe29ae2bd11e490d9c13c773b3
Author: Caolán McNamara <[email protected]>
AuthorDate: Fri May 22 14:07:54 2026 +0000
Commit: Caolán McNamara <[email protected]>
CommitDate: Fri May 22 16:16:03 2026 +0200
clamp gradient numEntries by blob size in getNewFill
Clamp numEntries by (size - 6) / 8 first, matching the per-iteration
bounds checks in parseVertices and parseSegments.
Change-Id: I71c287e3672e5008077c28287badfc3da23a956f
Reviewed-on: https://gerrit.libreoffice.org/c/libmspub/+/205558
Tested-by: Caolán McNamara <[email protected]>
Reviewed-by: Caolán McNamara <[email protected]>
diff --git a/src/lib/MSPUBParser.cpp b/src/lib/MSPUBParser.cpp
index c8cc666..214d54c 100644
--- a/src/lib/MSPUBParser.cpp
+++ b/src/lib/MSPUBParser.cpp
@@ -2079,6 +2079,9 @@ std::shared_ptr<Fill> MSPUBParser::getNewFill(const
std::map<unsigned short, uns
{
unsigned short numEntries = gradientData[0] | (gradientData[1] << 8);
unsigned offs = 6;
+ const unsigned maxEntries = (gradientData.size() - offs) / 8;
+ if (numEntries > maxEntries)
+ numEntries = maxEntries;
for (unsigned i = 0; i < numEntries; ++i)
{
unsigned color = gradientData[offs] | (unsigned(gradientData[offs +
1]) << 8) | (unsigned(gradientData[offs + 2]) << 16) |
(unsigned(gradientData[offs + 3]) << 24);
