[Libreoffice-commits] core.git: drawinglayer/source
drawinglayer/source/primitive2d/textlayoutdevice.cxx |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit ab4bae2265f6f5ee52baf8db106c77eefd0bd159
Author: zhutyra
AuthorDate: Fri Mar 4 11:34:01 2022 +
Commit: Caolán McNamara
CommitDate: Fri Mar 4 13:46:02 2022 +0100
the assumption is that aArray.size() matches the Length argument
LIBREOFFICE-OWMTGGWJ
Change-Id: I68dfcb0dcbb401c62d4e29f9ab6e4ee1ebc7f072
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130973
Tested-by: Jenkins
Reviewed-by: Caolán McNamara
diff --git a/drawinglayer/source/primitive2d/textlayoutdevice.cxx
b/drawinglayer/source/primitive2d/textlayoutdevice.cxx
index 60370e722941..f70f9f63b81d 100644
--- a/drawinglayer/source/primitive2d/textlayoutdevice.cxx
+++ b/drawinglayer/source/primitive2d/textlayoutdevice.cxx
@@ -309,7 +309,7 @@ std::vector TextLayouterDevice::getTextArray(const
OUString& rText, sal_
{
aRetval.reserve(nTextLength);
std::vector aArray(nTextLength);
-mrDevice.GetTextArray(rText, , nIndex, nLength);
+mrDevice.GetTextArray(rText, , nIndex, nTextLength);
aRetval.assign(aArray.begin(), aArray.end());
}
@@ -332,7 +332,7 @@ std::vector
TextLayouterDevice::getCaretPositions(const OUString& rText,
{
aRetval.reserve(2 * nTextLength);
std::vector aArray(2 * nTextLength);
-mrDevice.GetCaretPositions(rText, aArray.data(), nIndex, nLength);
+mrDevice.GetCaretPositions(rText, aArray.data(), nIndex, nTextLength);
aRetval.assign(aArray.begin(), aArray.end());
}
[Libreoffice-commits] core.git: vcl/source
vcl/source/filter/svm/SvmConverter.cxx | 22 +++---
1 file changed, 19 insertions(+), 3 deletions(-)
New commits:
commit b279061b97e53b0730bdd463b3287c82075f1538
Author: zhutyra
AuthorDate: Fri Mar 4 10:38:50 2022 +
Commit: Caolán McNamara
CommitDate: Fri Mar 4 13:36:21 2022 +0100
clamp svm1 text ranges to legal range on conversion
LIBREOFFICE-OWMTGGWJ
Change-Id: Ief2770fd8dc48be9f1f102b709a1c3be0165b195
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130970
Tested-by: Jenkins
Reviewed-by: Caolán McNamara
diff --git a/vcl/source/filter/svm/SvmConverter.cxx
b/vcl/source/filter/svm/SvmConverter.cxx
index 30f3048f3792..189be4b7a398 100644
--- a/vcl/source/filter/svm/SvmConverter.cxx
+++ b/vcl/source/filter/svm/SvmConverter.cxx
@@ -248,6 +248,19 @@ namespace
nFollowingActionCount = remainingActions;
return std::min(remainingActions, nFollowingActionCount);
}
+
+bool NormalizeRange(const OUString& rStr, sal_Int32& rIndex, sal_Int32&
rLength,
+std::vector* pDXAry = nullptr)
+{
+const sal_uInt32 nStrLength = rStr.getLength();
+rIndex = std::min(rIndex, nStrLength);
+rLength = std::min(rLength, nStrLength - rIndex);
+if (pDXAry && pDXAry->size() > o3tl::make_unsigned(rLength))
+{
+pDXAry->resize(rLength);
+}
+return rLength > 0;
+}
}
#define LF_FACESIZE 32
@@ -691,7 +704,8 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm,
GDIMetaFile& rMtf )
OUString aStr(OStringToOUString(aByteStr, eActualCharSet));
if ( nUnicodeCommentActionNumber == i )
ImplReadUnicodeComment( nUnicodeCommentStreamPos,
rIStm, aStr );
-rMtf.AddAction( new MetaTextAction( aPt, aStr, nIndex,
nLen ) );
+if (NormalizeRange(aStr, nIndex, nLen))
+rMtf.AddAction( new MetaTextAction( aPt, aStr, nIndex,
nLen ) );
}
if (nActionSize < 24)
@@ -780,7 +794,8 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm,
GDIMetaFile& rMtf )
}
if ( nUnicodeCommentActionNumber == i )
ImplReadUnicodeComment( nUnicodeCommentStreamPos,
rIStm, aStr );
-rMtf.AddAction( new MetaTextArrayAction( aPt, aStr,
aDXAry, nIndex, nLen ) );
+if (NormalizeRange(aStr, nIndex, nLen, ))
+rMtf.AddAction( new MetaTextArrayAction( aPt, aStr,
aDXAry, nIndex, nLen ) );
}
if (nActionSize < 24)
@@ -806,7 +821,8 @@ void SVMConverter::ImplConvertFromSVM1( SvStream& rIStm,
GDIMetaFile& rMtf )
OUString aStr(OStringToOUString(aByteStr, eActualCharSet));
if ( nUnicodeCommentActionNumber == i )
ImplReadUnicodeComment( nUnicodeCommentStreamPos,
rIStm, aStr );
-rMtf.AddAction( new MetaStretchTextAction( aPt, nWidth,
aStr, nIndex, nLen ) );
+if (NormalizeRange(aStr, nIndex, nLen))
+rMtf.AddAction( new MetaStretchTextAction( aPt,
nWidth, aStr, nIndex, nLen ) );
}
if (nActionSize < 28)
[Libreoffice-commits] core.git: sw/source
sw/source/filter/ww8/wrtw8sty.cxx |9 +
1 file changed, 5 insertions(+), 4 deletions(-)
New commits:
commit 9d5005ac7bb27fb336bc4b593936fe2230b23eac
Author: zhutyra
AuthorDate: Thu Feb 10 20:36:15 2022 +
Commit: Caolán McNamara
CommitDate: Fri Feb 11 17:00:36 2022 +0100
limit style export to words max style count
LIBREOFFICE-U78X8I5G
Change-Id: I436b4c13a4ce07f5e9e5d374163bc4de55cd2cde
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129803
Tested-by: Jenkins
Reviewed-by: Caolán McNamara
diff --git a/sw/source/filter/ww8/wrtw8sty.cxx
b/sw/source/filter/ww8/wrtw8sty.cxx
index 3df6787eee11..f91375da04bb 100644
--- a/sw/source/filter/ww8/wrtw8sty.cxx
+++ b/sw/source/filter/ww8/wrtw8sty.cxx
@@ -151,9 +151,10 @@ MSWordStyles::MSWordStyles( MSWordExportBase& rExport,
bool bListStyles )
m_rExport.m_rDoc.GetFootnoteInfo().GetAnchorCharFormat(
m_rExport.m_rDoc );
m_rExport.m_rDoc.GetFootnoteInfo().GetCharFormat( m_rExport.m_rDoc );
}
-sal_uInt16 nAlloc = WW8_RESERVED_SLOTS +
m_rExport.m_rDoc.GetCharFormats()->size() - 1 +
+sal_uInt32 nAlloc = WW8_RESERVED_SLOTS +
m_rExport.m_rDoc.GetCharFormats()->size() - 1 +
m_rExport.m_rDoc.GetTextFormatColls()->size() - 1 +
(bListStyles ?
m_rExport.m_rDoc.GetNumRuleTable().size() - 1 : 0);
+nAlloc = std::min(nAlloc, MSWORD_MAX_STYLES_LIMIT);
// somewhat generous ( free for up to 15 )
m_aFormatA.resize(nAlloc, nullptr);
@@ -282,7 +283,7 @@ void MSWordStyles::BuildStylesTable()
const SwCharFormats& rArr = *m_rExport.m_rDoc.GetCharFormats(); //
first CharFormat
// the default character style ( 0 ) will not be outputted !
-for( size_t n = 1; n < rArr.size(); n++ )
+for (size_t n = 1; n < rArr.size() && m_nUsedSlots <
MSWORD_MAX_STYLES_LIMIT; ++n)
{
SwCharFormat* pFormat = rArr[n];
m_aFormatA[ BuildGetSlot( *pFormat ) ] = pFormat;
@@ -290,7 +291,7 @@ void MSWordStyles::BuildStylesTable()
const SwTextFormatColls& rArr2 = *m_rExport.m_rDoc.GetTextFormatColls();
// then TextFormatColls
// the default character style ( 0 ) will not be outputted !
-for( size_t n = 1; n < rArr2.size(); n++ )
+for (size_t n = 1; n < rArr2.size() && m_nUsedSlots <
MSWORD_MAX_STYLES_LIMIT; ++n)
{
SwTextFormatColl* pFormat = rArr2[n];
sal_uInt16 nId = BuildGetSlot( *pFormat ) ;
@@ -307,7 +308,7 @@ void MSWordStyles::BuildStylesTable()
return;
const SwNumRuleTable& rNumRuleTable = m_rExport.m_rDoc.GetNumRuleTable();
-for (size_t i = 0; i < rNumRuleTable.size(); ++i)
+for (size_t i = 0; i < rNumRuleTable.size() && m_nUsedSlots <
MSWORD_MAX_STYLES_LIMIT; ++i)
{
const SwNumRule* pNumRule = rNumRuleTable[i];
if (pNumRule->IsAutoRule() || pNumRule->GetName().startsWith("WWNum"))
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - 7 commits - lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx | 121 +++---
1 file changed, 64 insertions(+), 57 deletions(-)
New commits:
commit aaad67afccf1c59bf7d8fe7ab5207ff903f1c515
Author: zhutyra
AuthorDate: Tue Feb 1 13:54:55 2022 +
Commit: Michael Stahl
CommitDate: Fri Feb 4 11:25:38 2022 +0100
read of width/height uses wrong record size
this initially went wrong at:
commit b4fb7a437bb0ce987702b12008737756623618ac
Date: Mon May 23 21:38:40 2011 +0100
fix up some more endian
LIBREOFFICE-SBQ5TJRS
Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129259
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit 6694e3ea9c2f05a20245d94c5c1eda955cb3aacc)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 642dfed338ec..fd5355ac3295 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1394,8 +1394,12 @@ void LwpDrawBitmap::Read()
if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
{
-m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+sal_uInt16 nTmp;
+
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nWidth = nTmp;
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nHeight = nTmp;
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
commit b268215d10f7da6d01c223b260970198c00cb610
Author: zhutyra
AuthorDate: Tue Feb 1 14:07:26 2022 +
Commit: Michael Stahl
CommitDate: Fri Feb 4 11:25:38 2022 +0100
ensure bounds checking
LIBREOFFICE-SBQ5TJRS
Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 475ac337f51a..642dfed338ec 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1375,21 +1375,20 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
m_pStream->ReadUInt16( m_aBmpRec.nRotation );
+// 20 == length of draw-specific fields.
if (m_aObjHeader.nRecLen < 20)
throw BadRead();
-// 20 == length of draw-specific fields.
-// 14 == length of bmp file header.
-m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+sal_uInt64 nBmpPos = m_pStream->Tell();
+sal_uInt64 nBmpLen =
+std::min(m_aObjHeader.nRecLen - 20,
m_pStream->remainingSize());
BmpInfoHeader2 aInfoHeader2;
m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
-if (!m_pStream->good())
+if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
throw BadRead();
-m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
sal_uInt32 N;
sal_uInt32 rgbTableSize;
@@ -1413,7 +1412,7 @@ void LwpDrawBitmap::Read()
rgbTableSize = 3 * (1 << N);
}
}
-else
+else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
{
m_pStream->ReadUInt32( aInfoHeader2.nWidth );
m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1432,9 +1431,15 @@ void LwpDrawBitmap::Read()
{
rgbTableSize = 4 * (1 << N);
}
-
+}
+else
+{
+throw BadRead();
}
+m_aBmpRec.nFileSize = static_cast(nBmpLen + 14);
+m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
m_pImageData[0] = 'B';
m_pImageData[1] = 'M';
@@ -1451,50 +1456,10 @@ void LwpDrawBitmap::Read()
m_pImageData[12] = static_cast(nOffBits >> 16);
m_pImageData[13] = static_cast(nOffBits >> 24);
-sal_uInt32 nDIBRemaining;
sal_uInt8* pPicData = m_pImageData.get();
-if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[21] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[22] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[23] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nBitCount);
-
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-1' - 7 commits - lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx | 121 +++---
1 file changed, 64 insertions(+), 57 deletions(-)
New commits:
commit 9c7083250d1774a02cee0c79bd116668196d
Author: zhutyra
AuthorDate: Tue Feb 1 13:54:55 2022 +
Commit: Michael Stahl
CommitDate: Thu Feb 3 12:24:22 2022 +0100
read of width/height uses wrong record size
this initially went wrong at:
commit b4fb7a437bb0ce987702b12008737756623618ac
Date: Mon May 23 21:38:40 2011 +0100
fix up some more endian
LIBREOFFICE-SBQ5TJRS
Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129259
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit 6694e3ea9c2f05a20245d94c5c1eda955cb3aacc)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index c76691bb760a..742e38f82c24 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1394,8 +1394,12 @@ void LwpDrawBitmap::Read()
if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
{
-m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+sal_uInt16 nTmp;
+
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nWidth = nTmp;
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nHeight = nTmp;
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
commit bd6bcffad7fe359ec98498ecc528dec9509cb615
Author: zhutyra
AuthorDate: Tue Feb 1 14:07:26 2022 +
Commit: Michael Stahl
CommitDate: Thu Feb 3 12:24:11 2022 +0100
ensure bounds checking
LIBREOFFICE-SBQ5TJRS
Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e)
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index cb5c342a0aee..c76691bb760a 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1375,21 +1375,20 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
m_pStream->ReadUInt16( m_aBmpRec.nRotation );
+// 20 == length of draw-specific fields.
if (m_aObjHeader.nRecLen < 20)
throw BadRead();
-// 20 == length of draw-specific fields.
-// 14 == length of bmp file header.
-m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+sal_uInt64 nBmpPos = m_pStream->Tell();
+sal_uInt64 nBmpLen =
+std::min(m_aObjHeader.nRecLen - 20,
m_pStream->remainingSize());
BmpInfoHeader2 aInfoHeader2;
m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
-if (!m_pStream->good())
+if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
throw BadRead();
-m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
sal_uInt32 N;
sal_uInt32 rgbTableSize;
@@ -1413,7 +1412,7 @@ void LwpDrawBitmap::Read()
rgbTableSize = 3 * (1 << N);
}
}
-else
+else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
{
m_pStream->ReadUInt32( aInfoHeader2.nWidth );
m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1432,9 +1431,15 @@ void LwpDrawBitmap::Read()
{
rgbTableSize = 4 * (1 << N);
}
-
+}
+else
+{
+throw BadRead();
}
+m_aBmpRec.nFileSize = static_cast(nBmpLen + 14);
+m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
m_pImageData[0] = 'B';
m_pImageData[1] = 'M';
@@ -1451,50 +1456,10 @@ void LwpDrawBitmap::Read()
m_pImageData[12] = static_cast(nOffBits >> 16);
m_pImageData[13] = static_cast(nOffBits >> 24);
-sal_uInt32 nDIBRemaining;
sal_uInt8* pPicData = m_pImageData.get();
-if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[21] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[22] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[23] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nBitCount);
-
[Libreoffice-commits] core.git: Branch 'distro/lhm/libreoffice-6-4+backports' - lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
New commits:
commit 43fdb7be021fdfcf0f7621e9bb73158cd481684f
Author: zhutyra
AuthorDate: Tue Feb 1 13:54:55 2022 +
Commit: Thorsten Behrens
CommitDate: Thu Feb 3 23:56:39 2022 +0100
read of width/height uses wrong record size
this initially went wrong at:
commit b4fb7a437bb0ce987702b12008737756623618ac
Date: Mon May 23 21:38:40 2011 +0100
fix up some more endian
LIBREOFFICE-SBQ5TJRS
Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129259
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit 6694e3ea9c2f05a20245d94c5c1eda955cb3aacc)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129418
Tested-by: Thorsten Behrens
Reviewed-by: Thorsten Behrens
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 642dfed338ec..fd5355ac3295 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1394,8 +1394,12 @@ void LwpDrawBitmap::Read()
if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
{
-m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+sal_uInt16 nTmp;
+
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nWidth = nTmp;
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nHeight = nTmp;
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
[Libreoffice-commits] core.git: Branch 'distro/lhm/libreoffice-6-4+backports' - lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx | 65 ++
1 file changed, 15 insertions(+), 50 deletions(-)
New commits:
commit ace517548257bd709be7fc596f21b9e04888635d
Author: zhutyra
AuthorDate: Tue Feb 1 14:07:26 2022 +
Commit: Thorsten Behrens
CommitDate: Thu Feb 3 23:56:18 2022 +0100
ensure bounds checking
LIBREOFFICE-SBQ5TJRS
Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129417
Tested-by: Thorsten Behrens
Reviewed-by: Thorsten Behrens
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 475ac337f51a..642dfed338ec 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1375,21 +1375,20 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
m_pStream->ReadUInt16( m_aBmpRec.nRotation );
+// 20 == length of draw-specific fields.
if (m_aObjHeader.nRecLen < 20)
throw BadRead();
-// 20 == length of draw-specific fields.
-// 14 == length of bmp file header.
-m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+sal_uInt64 nBmpPos = m_pStream->Tell();
+sal_uInt64 nBmpLen =
+std::min(m_aObjHeader.nRecLen - 20,
m_pStream->remainingSize());
BmpInfoHeader2 aInfoHeader2;
m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
-if (!m_pStream->good())
+if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
throw BadRead();
-m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
sal_uInt32 N;
sal_uInt32 rgbTableSize;
@@ -1413,7 +1412,7 @@ void LwpDrawBitmap::Read()
rgbTableSize = 3 * (1 << N);
}
}
-else
+else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
{
m_pStream->ReadUInt32( aInfoHeader2.nWidth );
m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1432,9 +1431,15 @@ void LwpDrawBitmap::Read()
{
rgbTableSize = 4 * (1 << N);
}
-
+}
+else
+{
+throw BadRead();
}
+m_aBmpRec.nFileSize = static_cast(nBmpLen + 14);
+m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
m_pImageData[0] = 'B';
m_pImageData[1] = 'M';
@@ -1451,50 +1456,10 @@ void LwpDrawBitmap::Read()
m_pImageData[12] = static_cast(nOffBits >> 16);
m_pImageData[13] = static_cast(nOffBits >> 24);
-sal_uInt32 nDIBRemaining;
sal_uInt8* pPicData = m_pImageData.get();
-if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[21] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[22] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[23] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[25] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 26;
-pPicData += 26*sizeof(sal_uInt8);
-}
-else
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nWidth >> 16);
-m_pImageData[21] = static_cast(aInfoHeader2.nWidth >> 24);
-m_pImageData[22] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[23] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nHeight >> 16);
-m_pImageData[25] = static_cast(aInfoHeader2.nHeight >> 24);
-m_pImageData[26] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[27] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[28] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[29] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 30;
-
[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
New commits:
commit 6694e3ea9c2f05a20245d94c5c1eda955cb3aacc
Author: zhutyra
AuthorDate: Tue Feb 1 13:54:55 2022 +
Commit: Michael Stahl
CommitDate: Thu Feb 3 12:01:14 2022 +0100
read of width/height uses wrong record size
this initially went wrong at:
commit b4fb7a437bb0ce987702b12008737756623618ac
Date: Mon May 23 21:38:40 2011 +0100
fix up some more endian
LIBREOFFICE-SBQ5TJRS
Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129259
Tested-by: Jenkins
Reviewed-by: Michael Stahl
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 11bc3bcb5a98..f1abe2c438f3 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1388,8 +1388,12 @@ void LwpDrawBitmap::Read()
if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
{
-m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+sal_uInt16 nTmp;
+
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nWidth = nTmp;
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nHeight = nTmp;
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
[Libreoffice-commits] core.git: Branch 'libreoffice-7-3' - lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
New commits:
commit 0efe676d8e36b1f47bdf192b458cb23b521c5eda
Author: zhutyra
AuthorDate: Tue Feb 1 13:54:55 2022 +
Commit: Michael Stahl
CommitDate: Thu Feb 3 12:00:54 2022 +0100
read of width/height uses wrong record size
this initially went wrong at:
commit b4fb7a437bb0ce987702b12008737756623618ac
Date: Mon May 23 21:38:40 2011 +0100
fix up some more endian
LIBREOFFICE-SBQ5TJRS
Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129258
Tested-by: Jenkins
Reviewed-by: Michael Stahl
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 3ef720945c82..404bc6aa1b5d 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1389,8 +1389,12 @@ void LwpDrawBitmap::Read()
if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
{
-m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+sal_uInt16 nTmp;
+
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nWidth = nTmp;
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nHeight = nTmp;
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
[Libreoffice-commits] core.git: Branch 'libreoffice-7-2' - lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx | 65 ++
1 file changed, 15 insertions(+), 50 deletions(-)
New commits:
commit 17dd787a4ca9c17883e0bdfc75c89c2fa7ec169e
Author: zhutyra
AuthorDate: Tue Feb 1 14:07:26 2022 +
Commit: Michael Stahl
CommitDate: Thu Feb 3 11:59:31 2022 +0100
ensure bounds checking
LIBREOFFICE-SBQ5TJRS
Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129261
Tested-by: Jenkins
Reviewed-by: Michael Stahl
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index ce3f5249786d..11bc3bcb5a98 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1369,21 +1369,20 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
m_pStream->ReadUInt16( m_aBmpRec.nRotation );
+// 20 == length of draw-specific fields.
if (m_aObjHeader.nRecLen < 20)
throw BadRead();
-// 20 == length of draw-specific fields.
-// 14 == length of bmp file header.
-m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+sal_uInt64 nBmpPos = m_pStream->Tell();
+sal_uInt64 nBmpLen =
+std::min(m_aObjHeader.nRecLen - 20,
m_pStream->remainingSize());
BmpInfoHeader2 aInfoHeader2;
m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
-if (!m_pStream->good())
+if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
throw BadRead();
-m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
sal_uInt32 N;
sal_uInt32 rgbTableSize;
@@ -1407,7 +1406,7 @@ void LwpDrawBitmap::Read()
rgbTableSize = 3 * (1 << N);
}
}
-else
+else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
{
m_pStream->ReadUInt32( aInfoHeader2.nWidth );
m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1426,9 +1425,15 @@ void LwpDrawBitmap::Read()
{
rgbTableSize = 4 * (1 << N);
}
-
+}
+else
+{
+throw BadRead();
}
+m_aBmpRec.nFileSize = static_cast(nBmpLen + 14);
+m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
m_pImageData[0] = 'B';
m_pImageData[1] = 'M';
@@ -1445,50 +1450,10 @@ void LwpDrawBitmap::Read()
m_pImageData[12] = static_cast(nOffBits >> 16);
m_pImageData[13] = static_cast(nOffBits >> 24);
-sal_uInt32 nDIBRemaining;
sal_uInt8* pPicData = m_pImageData.get();
-if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[21] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[22] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[23] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[25] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 26;
-pPicData += 26*sizeof(sal_uInt8);
-}
-else
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nWidth >> 16);
-m_pImageData[21] = static_cast(aInfoHeader2.nWidth >> 24);
-m_pImageData[22] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[23] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nHeight >> 16);
-m_pImageData[25] = static_cast(aInfoHeader2.nHeight >> 24);
-m_pImageData[26] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[27] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[28] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[29] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 30;
-pPicData += 30*sizeof(sal_uInt8);
-}
-if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+m_pStream->Seek(nBmpPos);
+if (nBmpLen != m_pStream->ReadBytes(pPicData +
[Libreoffice-commits] core.git: Branch 'libreoffice-7-3' - lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx | 65 ++
1 file changed, 15 insertions(+), 50 deletions(-)
New commits:
commit 64cd0c0554ec7eb31ffab77ed314938e99e92dec
Author: zhutyra
AuthorDate: Tue Feb 1 14:07:26 2022 +
Commit: Michael Stahl
CommitDate: Thu Feb 3 11:56:27 2022 +0100
ensure bounds checking
LIBREOFFICE-SBQ5TJRS
Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129260
Tested-by: Jenkins
Reviewed-by: Michael Stahl
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index d2fc64b46435..3ef720945c82 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1370,21 +1370,20 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
m_pStream->ReadUInt16( m_aBmpRec.nRotation );
+// 20 == length of draw-specific fields.
if (m_aObjHeader.nRecLen < 20)
throw BadRead();
-// 20 == length of draw-specific fields.
-// 14 == length of bmp file header.
-m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+sal_uInt64 nBmpPos = m_pStream->Tell();
+sal_uInt64 nBmpLen =
+std::min(m_aObjHeader.nRecLen - 20,
m_pStream->remainingSize());
BmpInfoHeader2 aInfoHeader2;
m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
-if (!m_pStream->good())
+if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
throw BadRead();
-m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
sal_uInt32 N;
sal_uInt32 rgbTableSize;
@@ -1408,7 +1407,7 @@ void LwpDrawBitmap::Read()
rgbTableSize = 3 * (1 << N);
}
}
-else
+else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
{
m_pStream->ReadUInt32( aInfoHeader2.nWidth );
m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1427,9 +1426,15 @@ void LwpDrawBitmap::Read()
{
rgbTableSize = 4 * (1 << N);
}
-
+}
+else
+{
+throw BadRead();
}
+m_aBmpRec.nFileSize = static_cast(nBmpLen + 14);
+m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
m_pImageData[0] = 'B';
m_pImageData[1] = 'M';
@@ -1446,50 +1451,10 @@ void LwpDrawBitmap::Read()
m_pImageData[12] = static_cast(nOffBits >> 16);
m_pImageData[13] = static_cast(nOffBits >> 24);
-sal_uInt32 nDIBRemaining;
sal_uInt8* pPicData = m_pImageData.get();
-if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[21] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[22] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[23] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[25] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 26;
-pPicData += 26*sizeof(sal_uInt8);
-}
-else
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nWidth >> 16);
-m_pImageData[21] = static_cast(aInfoHeader2.nWidth >> 24);
-m_pImageData[22] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[23] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nHeight >> 16);
-m_pImageData[25] = static_cast(aInfoHeader2.nHeight >> 24);
-m_pImageData[26] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[27] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[28] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[29] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 30;
-pPicData += 30*sizeof(sal_uInt8);
-}
-if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+m_pStream->Seek(nBmpPos);
+if (nBmpLen != m_pStream->ReadBytes(pPicData +
[Libreoffice-commits] core.git: lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx | 65 ++
1 file changed, 15 insertions(+), 50 deletions(-)
New commits:
commit 5e8ceac64b66d1298037b939350d3adb86b37752
Author: zhutyra
AuthorDate: Tue Feb 1 14:07:26 2022 +
Commit: Caolán McNamara
CommitDate: Tue Feb 1 20:37:47 2022 +0100
ensure bounds checking
LIBREOFFICE-SBQ5TJRS
Change-Id: I71f35bc120fdd70298685131f29a6bb822d50f11
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129294
Tested-by: Jenkins
Reviewed-by: Caolán McNamara
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 7e1322a8f67f..130e729f6fc6 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1363,21 +1363,20 @@ void LwpDrawBitmap::Read()
m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
m_pStream->ReadUInt16( m_aBmpRec.nRotation );
+// 20 == length of draw-specific fields.
if (m_aObjHeader.nRecLen < 20)
throw BadRead();
-// 20 == length of draw-specific fields.
-// 14 == length of bmp file header.
-m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
+sal_uInt64 nBmpPos = m_pStream->Tell();
+sal_uInt64 nBmpLen =
+std::min(m_aObjHeader.nRecLen - 20,
m_pStream->remainingSize());
BmpInfoHeader2 aInfoHeader2;
m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
-if (!m_pStream->good())
+if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
throw BadRead();
-m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
-
sal_uInt32 N;
sal_uInt32 rgbTableSize;
@@ -1405,7 +1404,7 @@ void LwpDrawBitmap::Read()
rgbTableSize = 3 * (1 << N);
}
}
-else
+else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
{
m_pStream->ReadUInt32( aInfoHeader2.nWidth );
m_pStream->ReadUInt32( aInfoHeader2.nHeight );
@@ -1424,9 +1423,15 @@ void LwpDrawBitmap::Read()
{
rgbTableSize = 4 * (1 << N);
}
-
+}
+else
+{
+throw BadRead();
}
+m_aBmpRec.nFileSize = static_cast(nBmpLen + 14);
+m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
m_pImageData[0] = 'B';
m_pImageData[1] = 'M';
@@ -1443,50 +1448,10 @@ void LwpDrawBitmap::Read()
m_pImageData[12] = static_cast(nOffBits >> 16);
m_pImageData[13] = static_cast(nOffBits >> 24);
-sal_uInt32 nDIBRemaining;
sal_uInt8* pPicData = m_pImageData.get();
-if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[21] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[22] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[23] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[25] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 26;
-pPicData += 26*sizeof(sal_uInt8);
-}
-else
-{
-m_pImageData[14] = static_cast(aInfoHeader2.nHeaderLen);
-m_pImageData[15] = static_cast(aInfoHeader2.nHeaderLen >>
8);
-m_pImageData[16] = static_cast(aInfoHeader2.nHeaderLen >>
16);
-m_pImageData[17] = static_cast(aInfoHeader2.nHeaderLen >>
24);
-m_pImageData[18] = static_cast(aInfoHeader2.nWidth);
-m_pImageData[19] = static_cast(aInfoHeader2.nWidth >> 8);
-m_pImageData[20] = static_cast(aInfoHeader2.nWidth >> 16);
-m_pImageData[21] = static_cast(aInfoHeader2.nWidth >> 24);
-m_pImageData[22] = static_cast(aInfoHeader2.nHeight);
-m_pImageData[23] = static_cast(aInfoHeader2.nHeight >> 8);
-m_pImageData[24] = static_cast(aInfoHeader2.nHeight >> 16);
-m_pImageData[25] = static_cast(aInfoHeader2.nHeight >> 24);
-m_pImageData[26] = static_cast(aInfoHeader2.nPlanes);
-m_pImageData[27] = static_cast(aInfoHeader2.nPlanes >> 8);
-m_pImageData[28] = static_cast(aInfoHeader2.nBitCount);
-m_pImageData[29] = static_cast(aInfoHeader2.nBitCount >> 8);
-
-nDIBRemaining = m_aBmpRec.nFileSize - 30;
-pPicData += 30*sizeof(sal_uInt8);
-}
-if (nDIBRemaining != m_pStream->ReadBytes(pPicData, nDIBRemaining))
+m_pStream->Seek(nBmpPos);
+if (nBmpLen != m_pStream->ReadBytes(pPicData
[Libreoffice-commits] core.git: lotuswordpro/source
lotuswordpro/source/filter/lwpdrawobj.cxx |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
New commits:
commit dfcf8a75a975b09d3a39e4c753a717dc67036a3c
Author: zhutyra
AuthorDate: Tue Feb 1 13:54:55 2022 +
Commit: Caolán McNamara
CommitDate: Tue Feb 1 20:37:30 2022 +0100
read of width/height uses wrong record size
this initially went wrong at:
commit b4fb7a437bb0ce987702b12008737756623618ac
Date: Mon May 23 21:38:40 2011 +0100
fix up some more endian
LIBREOFFICE-SBQ5TJRS
Change-Id: Ie418f530f55288351f73f3c0cbab9ac48e6b6964
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129293
Tested-by: Caolán McNamara
Reviewed-by: Caolán McNamara
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx
b/lotuswordpro/source/filter/lwpdrawobj.cxx
index ad14a778d2cb..7e1322a8f67f 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1383,8 +1383,12 @@ void LwpDrawBitmap::Read()
if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
{
-m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+sal_uInt16 nTmp;
+
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nWidth = nTmp;
+m_pStream->ReadUInt16( nTmp );
+aInfoHeader2.nHeight = nTmp;
m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
