src/lib/CDRParser.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
New commits: commit c4dafb3c13a33da18fb2d77f28329d1181f51d98 Author: Caolán McNamara <[email protected]> AuthorDate: Fri May 22 20:41:22 2026 +0000 Commit: Caolán McNamara <[email protected]> CommitDate: Sat May 23 16:07:55 2026 +0200 refuse cmpr chunk whose header consumed more bytes than declared refuse chunk header consuming more bytes than length Change-Id: I5727f985e6aea0571b1625991ff145c550ed7a42 Reviewed-on: https://gerrit.libreoffice.org/c/libcdr/+/205580 Tested-by: Caolán McNamara <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp index 6c38141..c58251e 100644 --- a/src/lib/CDRParser.cpp +++ b/src/lib/CDRParser.cpp @@ -652,8 +652,11 @@ bool libcdr::CDRParser::parseRecord(librevenge::RVNGInputStream *input, const st } else { + const long here = input->tell(); + if (here < 0 || static_cast<unsigned long>(here) > length + position) + return false; std::vector<unsigned> tmpBlockLengths; - unsigned long blocksLength = length + position - input->tell(); + unsigned long blocksLength = length + position - here; CDRInternalStream tmpBlocksStream(input, blocksLength, compressed); while (!tmpBlocksStream.isEnd()) tmpBlockLengths.push_back(readU32(&tmpBlocksStream));
