basic/source/runtime/methods.cxx | 5 ++-- filter/source/graphicfilter/ipict/ipict.cxx | 27 +++++++++++++++++++++++++ package/source/zipapi/ZipFile.cxx | 2 + rsc/source/rscpp/cpp3.c | 1 sd/inc/sdmod.hxx | 2 - sd/source/ui/app/sdmod1.cxx | 4 +-- svtools/qa/unit/GraphicObjectTest.cxx | 1 vcl/opengl/gdiimpl.cxx | 3 ++ vcl/source/fontsubset/sft.cxx | 30 +++++++++++++++++----------- vcl/source/gdi/impfont.cxx | 8 +++++-- 10 files changed, 65 insertions(+), 18 deletions(-)
New commits: commit fcf43d7e8a908a303ccae274dcd6668aa93d4d50 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 10:40:40 2014 +0000 coverity#1213367 rework to make comparison to len more clear Change-Id: I9cb09bfc35f2b04567e52247f8bd1378910aeeb5 diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 1e0aa29..2a33640 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -844,7 +844,9 @@ static char *nameExtract( const sal_uInt8* name, int nTableSize, int n, int dbFl int len = GetUInt16(name+6, 12 * n + 8, 1); // sanity check - if( (len <= 0) || ((ptr+len) > (name+nTableSize)) ) + const sal_uInt8* end_table = name+nTableSize; + const int available_space = ptr > end_table ? 0 : (end_table - ptr); + if( (len <= 0) || len > available_space) { if( ucs2result ) *ucs2result = NULL; commit 46bdfa98c107e0aba92e42b46c0c5a287251017b Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 10:34:48 2014 +0000 coverity#1213368 Untrusted value as argument Change-Id: Ia1bd6464e6d4c6054ca8f2fce792de365984c02e diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 390777e..1e0aa29 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -920,9 +920,9 @@ static int findname( const sal_uInt8 *name, sal_uInt16 n, sal_uInt16 platformID, static void GetNames(TrueTypeFont *t) { const sal_uInt8* table = getTable( t, O_name ); - int nTableSize = getTableSize(t, O_name); + const sal_uInt32 nTableSize = getTableSize(t, O_name); - if (nTableSize < 4) + if (nTableSize < 6) { #if OSL_DEBUG_LEVEL > 1 fprintf(stderr, "O_name table too small\n"); @@ -931,13 +931,17 @@ static void GetNames(TrueTypeFont *t) } sal_uInt16 n = GetUInt16(table, 2, 1); - int i, r; - bool bPSNameOK = true; - /* #129743# simple sanity check for name table entry count */ - if( nTableSize <= n * 12 + 6 ) + /* simple sanity check for name table entry count */ + const size_t nMinRecordSize = 12; + const size_t nSpaceAvailable = nTableSize - 6; + const size_t nMaxRecords = nSpaceAvailable/nMinRecordSize; + if (n >= nMaxRecords) n = 0; + int i, r; + bool bPSNameOK = true; + /* PostScript name: preferred Microsoft */ t->psname = NULL; if ((r = findname(table, n, 3, 1, 0x0409, 6)) != -1) commit b3c282f12931b7e1cf152cb39664e3139012d7d0 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 10:26:51 2014 +0000 move error patch test to start Change-Id: Icd6a8b301eb7cc53aac9b84d2208bcde94218470 diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 2d52a19..390777e 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -879,12 +879,12 @@ static char *nameExtract( const sal_uInt8* name, int nTableSize, int n, int dbFl static int findname( const sal_uInt8 *name, sal_uInt16 n, sal_uInt16 platformID, sal_uInt16 encodingID, sal_uInt16 languageID, sal_uInt16 nameID ) { + if (n == 0) return -1; + int l = 0, r = n-1, i; sal_uInt32 t1, t2; sal_uInt32 m1, m2; - if (n == 0) return -1; - m1 = (platformID << 16) | encodingID; m2 = (languageID << 16) | nameID; commit 6027c7575bc7b8821a60bad3b70c237cae69ed72 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 10:19:53 2014 +0000 coverity#1213370 rework to make comparison to rec[i].slen more clear Change-Id: I13ff12f0023b2752ea40cbf941350ca4c7dc7f78 diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 4cdb95c..2d52a19 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -2716,9 +2716,11 @@ int GetTTNameRecords(TrueTypeFont *ttf, NameRecord **nr) continue; } - const sal_uInt8* rec_string = table + nStrBase + nStrOffset; + const sal_uInt8* rec_string = table + nStrBase + nStrOffset; // sanity check - if( rec_string > (sal_uInt8*)ttf->ptr && rec_string < ((sal_uInt8*)ttf->ptr + ttf->fsize - rec[i].slen ) ) + const sal_uInt8* end_table = ttf->ptr + ttf->fsize; + const size_t available_space = rec_string > end_table ? 0 : (end_table - rec_string); + if (rec[i].slen <= available_space) { rec[i].sptr = (sal_uInt8 *) malloc(rec[i].slen); assert(rec[i].sptr != 0); memcpy(rec[i].sptr, rec_string, rec[i].slen); commit 2abcb6cba9b5cd98d76d70418f6222f481fcd878 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 10:10:09 2014 +0000 coverity#1209863 rework to explicitly compare cMaxChar Change-Id: I739cf10c5031fd7abeb0c58569d65c03e225f5e4 diff --git a/vcl/source/gdi/impfont.cxx b/vcl/source/gdi/impfont.cxx index d36005a..327b0d7 100644 --- a/vcl/source/gdi/impfont.cxx +++ b/vcl/source/gdi/impfont.cxx @@ -209,8 +209,12 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) const unsigned char* pGlyphIdPtr = pOffsetBase + 2*i + nRangeOffset; const size_t nRemainingSize = pEndValidArea - pGlyphIdPtr; const size_t nMaxPossibleRecords = nRemainingSize/2; - const size_t nRequestedRecords = cMaxChar - cMinChar + 1; - if (nRequestedRecords > nMaxPossibleRecords) { // no sane font should trigger this + if (nMaxPossibleRecords == 0) { // no sane font should trigger this + SAL_WARN("vcl.gdi", "More indexes claimed that space available in font!"); + break; + } + const size_t nMaxLegalChar = cMinChar + nMaxPossibleRecords-1; + if (cMaxChar > nMaxLegalChar) { // no sane font should trigger this SAL_WARN("vcl.gdi", "More indexes claimed that space available in font!"); break; } commit 0674dd36b6a344acc3f22676d8aa09158e17062f Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 09:49:27 2014 +0000 coverity#1242675 Untrusted value as argument Change-Id: Id1f1ff8de23b041742d2a8286b78312529f6566e diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx index bb178f5..f2dc709 100644 --- a/package/source/zipapi/ZipFile.cxx +++ b/package/source/zipapi/ZipFile.cxx @@ -664,6 +664,8 @@ bool ZipFile::readLOC( ZipEntry &rEntry ) const sal_Int64 nBytesAvailable = aGrabber.getLength() - aGrabber.getPosition(); if (nPathLenToRead > nBytesAvailable) nPathLenToRead = nBytesAvailable; + else if (nPathLenToRead < 0) + nPathLenToRead = 0; // read always in UTF8, some tools seem not to set UTF8 bit uno::Sequence<sal_Int8> aNameBuffer(nPathLenToRead); commit af4700d70a807857ecb118c2bd23c023cfe387e7 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 09:47:33 2014 +0000 document coverity#983096 Resource leak Change-Id: If5a60dac2329432b30a7b5528e0fca05d4369b1a diff --git a/rsc/source/rscpp/cpp3.c b/rsc/source/rscpp/cpp3.c index f663a9f..1ab8816 100644 --- a/rsc/source/rscpp/cpp3.c +++ b/rsc/source/rscpp/cpp3.c @@ -148,6 +148,7 @@ int AddInclude( char* pIncStr ) *incend++ = pIncPos; pIncPos = strtok( NULL, ";" ); } + /* coverity[leaked_storage] - we know this leaks, but it doesn't matter in this short lived utility */ return( 1 ); } commit b5c51b706850f4fd86f26b17169a272ae02c3da8 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 09:40:09 2014 +0000 coverity#1242658 Untrusted loop bound Change-Id: Ib3bb7f28b051c2886b470a77bdc6daf683a03f84 diff --git a/filter/source/graphicfilter/ipict/ipict.cxx b/filter/source/graphicfilter/ipict/ipict.cxx index 852e69b..acef0b7 100644 --- a/filter/source/graphicfilter/ipict/ipict.cxx +++ b/filter/source/graphicfilter/ipict/ipict.cxx @@ -909,6 +909,19 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo if ( nRowBytes < 2 * nWidth ) BITMAPERROR; + size_t nMinRecordSize; + if ( nRowBytes < 8 || nPackType == 1 ) + nMinRecordSize = sizeof(sal_uInt16); + else if ( nRowBytes > 250 ) + nMinRecordSize = sizeof(sal_uInt16); + else + nMinRecordSize = 1; + + const size_t nMinRowWidth = nWidth * nMinRecordSize; + const size_t nMaxRows = pPict->remainingSize() / nMinRowWidth; + if (nHeight > nMaxRows) + BITMAPERROR; + for ( ny = 0; ny < nHeight; ny++ ) { nx = 0; @@ -1031,6 +1044,20 @@ sal_uLong PictReader::ReadPixMapEtc( Bitmap &rBitmap, bool bBaseAddr, bool bColo { if ( ( nCmpCount == 3 ) || ( nCmpCount == 4 ) ) { + size_t nMinRecordSize; + if (nRowBytes > 250) + nMinRecordSize = sizeof(sal_uInt16); + else + nMinRecordSize = 1; + + const size_t nMinRowWidth = nWidth * nMinRecordSize; + const size_t nMaxRows = pPict->remainingSize() / nMinRowWidth; + if (nHeight > nMaxRows) + BITMAPERROR; + const size_t nMaxWidth = pPict->remainingSize() / nHeight; + if (nWidth > nMaxWidth) + BITMAPERROR; + boost::scoped_array<sal_uInt8> pScanline(new sal_uInt8[static_cast<size_t>(nWidth) * nCmpCount]); for ( ny = 0; ny < nHeight; ny++ ) { commit af26bb77d2dd63fd6d5473c234f746b3b38dc3f6 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 09:24:11 2014 +0000 coverity#1255388 Division or modulo by float zero and coverity#1255387 Division or modulo by float zero Change-Id: I86c6d5874a7a2c2eecefe7f786edff89ff50ffbf diff --git a/vcl/opengl/gdiimpl.cxx b/vcl/opengl/gdiimpl.cxx index 3929d63..1abc86e 100644 --- a/vcl/opengl/gdiimpl.cxx +++ b/vcl/opengl/gdiimpl.cxx @@ -727,6 +727,9 @@ void OpenGLSalGraphicsImpl::DrawTransformedTexture( const basegfx::B2DPoint& rX, const basegfx::B2DPoint& rY ) { + if (!rTexture.GetWidth() || !rTexture.GetHeight()) + return; + const basegfx::B2DVector aXRel = rX - rNull; const basegfx::B2DVector aYRel = rY - rNull; const float aValues[] = { commit ecc56da366960b642d0a7da1b4a47245243252f8 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 09:22:38 2014 +0000 busted loop condition regression from commit 119873328acd70ca3569c21a0b1fe36277e8bf4c Date: Thu Oct 21 15:34:02 2010 -0500 convert vos/process.hxx and related API Change-Id: I36527a4f0109105b9853a79773b4c92f9bc4e902 diff --git a/basic/source/runtime/methods.cxx b/basic/source/runtime/methods.cxx index 662dcc3..f27e771 100644 --- a/basic/source/runtime/methods.cxx +++ b/basic/source/runtime/methods.cxx @@ -3716,10 +3716,9 @@ RTLFUNC(Shell) osl_freeProcessHandle( pApp ); } - for(int j = 0; i < nParamCount; i++) + for(int j = 0; j < nParamCount; ++j) { rtl_uString_release(pParamList[j]); - pParamList[j] = NULL; } delete [] pParamList; commit ef076fa1c1aa15d42969c701803564bbc75a0cb0 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 09:20:31 2014 +0000 coverity#1255390 Resource leak Change-Id: I3631d6bbcf45986deb1e911fcdb0e6606a0c6d91 diff --git a/basic/source/runtime/methods.cxx b/basic/source/runtime/methods.cxx index c1b6889..662dcc3 100644 --- a/basic/source/runtime/methods.cxx +++ b/basic/source/runtime/methods.cxx @@ -3722,6 +3722,8 @@ RTLFUNC(Shell) pParamList[j] = NULL; } + delete [] pParamList; + if( !bSucc ) { StarBASIC::Error( SbERR_FILE_NOT_FOUND ); commit 4ea173180609df25a765c5a10889fc25863c659f Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 09:16:50 2014 +0000 coverity#1255389 Dereference null return value Change-Id: I3b2a4e69a1c86d9b9ce9f51d6f321bda9e18f8b5 diff --git a/svtools/qa/unit/GraphicObjectTest.cxx b/svtools/qa/unit/GraphicObjectTest.cxx index 0c96f15..3c4645b 100644 --- a/svtools/qa/unit/GraphicObjectTest.cxx +++ b/svtools/qa/unit/GraphicObjectTest.cxx @@ -168,6 +168,7 @@ void GraphicObjectTest::testSizeBasedAutoSwap() if( aNodes[nIndex]->IsGrfNode() ) { SwGrfNode* pGrfNode = aNodes[nIndex]->GetGrfNode(); + CPPUNIT_ASSERT(pGrfNode); if( !pGrafObj1 ) { pGrafObj1 = &pGrfNode->GetGrfObj(); commit cdf7572996c553348deae7698f9b1170f5a105f2 Author: Caolán McNamara <caol...@redhat.com> Date: Fri Nov 21 09:16:46 2014 +0000 coverity#1209008 Unchecked return value Change-Id: I7204f02253ff970a6b6f25b83268372d914d7f13 diff --git a/sd/inc/sdmod.hxx b/sd/inc/sdmod.hxx index b1b4291..d339c09 100644 --- a/sd/inc/sdmod.hxx +++ b/sd/inc/sdmod.hxx @@ -168,7 +168,7 @@ private: This typically is the unmodified request from a execute() function from where this function is called. */ - void OutlineToImpress (SfxRequest& rRequest); + bool OutlineToImpress(SfxRequest& rRequest); /** Add an eventlistener as soon as possible in sd, allows to use remote devices to start the slideshow elegantly, and respecting diff --git a/sd/source/ui/app/sdmod1.cxx b/sd/source/ui/app/sdmod1.cxx index a4aff4d..672ccdd 100644 --- a/sd/source/ui/app/sdmod1.cxx +++ b/sd/source/ui/app/sdmod1.cxx @@ -252,7 +252,7 @@ void SdModule::Execute(SfxRequest& rReq) } } -void SdModule::OutlineToImpress (SfxRequest& rRequest) +bool SdModule::OutlineToImpress(SfxRequest& rRequest) { const SfxItemSet* pSet = rRequest.GetArgs(); @@ -312,7 +312,7 @@ void SdModule::OutlineToImpress (SfxRequest& rRequest) } } - rRequest.IsDone(); + return rRequest.IsDone(); } static bool bOnce = false;
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits