ooo-build r14508 - in trunk: . patches/dev300 patches/emf+
- From: rodo svn gnome org
- To: svn-commits-list gnome org
- Subject: ooo-build r14508 - in trunk: . patches/dev300 patches/emf+
- Date: Fri, 14 Nov 2008 16:17:12 +0000 (UTC)
Author: rodo
Date: Fri Nov 14 16:17:12 2008
New Revision: 14508
URL: http://svn.gnome.org/viewvc/ooo-build?rev=14508&view=rev
Log:
2008-11-14 Radek Doulik <rodo novell com>
* patches/dev300/apply: added emf+-cppcanvas-input-validation.diff
from Thorsten, with small changes from me. Fixes crash in
cppcanvas/source/mtfrenderer/emfplus.cxx
* patches/dev300/wmf-pattern-brush.diff: Update to fix crash in
svtools/source/filter.vcl/wmf/enhwmf.cxx
Added:
trunk/patches/emf+/emf+-cppcanvas-input-validation.diff
Modified:
trunk/ChangeLog
trunk/patches/dev300/apply
trunk/patches/dev300/wmf-pattern-brush.diff
Modified: trunk/patches/dev300/apply
==============================================================================
--- trunk/patches/dev300/apply (original)
+++ trunk/patches/dev300/apply Fri Nov 14 16:17:12 2008
@@ -2421,6 +2421,7 @@
emf+-use-canvas-only-for-emf+.diff, rodo
emf+-embedded-mf-image.diff, rodo
vcl-pluggable-mtf-renderer.diff, thorsten
+emf+-cppcanvas-input-validation.diff, thorsten
[ LinkWarningDlg ]
linkwarn-dlg-in-apps.diff, n#348149, thorsten
Modified: trunk/patches/dev300/wmf-pattern-brush.diff
==============================================================================
--- trunk/patches/dev300/wmf-pattern-brush.diff (original)
+++ trunk/patches/dev300/wmf-pattern-brush.diff Fri Nov 14 16:17:12 2008
@@ -23,7 +23,7 @@
}
}
break;
-@@ -1152,6 +1153,49 @@ BOOL EnhWMFReader::ReadEnhWMF()
+@@ -1152,6 +1153,54 @@ BOOL EnhWMFReader::ReadEnhWMF()
}
break;
@@ -45,27 +45,32 @@
+ *pWMF >> offBits;
+ *pWMF >> cbBits;
+
-+ if ( offBmi )
++ if ( (cbBits > (SAL_MAX_UINT32 - 14)) || ((SAL_MAX_UINT32 - 14) - cbBits < cbBmi) )
++ bStatus = FALSE;
++ else if ( offBmi )
+ {
+ UINT32 nSize = cbBmi + cbBits + 14;
-+ char* pBuf = new char[ nSize ];
-+
-+ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
-+ aTmp.ObjectOwnsMemory( TRUE );
-+ aTmp << (BYTE)'B'
-+ << (BYTE)'M'
-+ << (UINT32)cbBits
-+ << (UINT16)0
-+ << (UINT16)0
-+ << (UINT32)cbBmi + 14;
-+ pWMF->Seek( nStart + offBmi );
-+ pWMF->Read( pBuf + 14, cbBmi );
-+ pWMF->Seek( nStart + offBits );
-+ pWMF->Read( pBuf + 14 + cbBmi, cbBits );
-+ aTmp.Seek( 0 );
-+ aBitmap.Read( aTmp, TRUE );
++ if ( nSize <= ( nEndPos - nStartPos ) )
++ {
++ char* pBuf = new char[ nSize ];
++
++ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
++ aTmp.ObjectOwnsMemory( TRUE );
++ aTmp << (BYTE)'B'
++ << (BYTE)'M'
++ << (UINT32)cbBits
++ << (UINT16)0
++ << (UINT16)0
++ << (UINT32)cbBmi + 14;
++ pWMF->Seek( nStart + offBmi );
++ pWMF->Read( pBuf + 14, cbBmi );
++ pWMF->Seek( nStart + offBits );
++ pWMF->Read( pBuf + 14 + cbBmi, cbBits );
++ aTmp.Seek( 0 );
++ aBitmap.Read( aTmp, TRUE );
++ }
+ }
-+ }
++ }
+
+ pOut->CreateObject( nIndex, GDI_BRUSH, new WinMtfFillStyle( aBitmap ) );
+ }
Added: trunk/patches/emf+/emf+-cppcanvas-input-validation.diff
==============================================================================
--- (empty file)
+++ trunk/patches/emf+/emf+-cppcanvas-input-validation.diff Fri Nov 14 16:17:12 2008
@@ -0,0 +1,107 @@
+--- cppcanvas/source/mtfrenderer/emfplus.cxx.bak 2008-10-22 18:32:48.000000000 +0200
++++ cppcanvas/source/mtfrenderer/emfplus.cxx 2008-10-22 18:58:35.000000000 +0200
+@@ -96,6 +96,8 @@
+ public:
+ EMFPPath (sal_Int32 _nPoints, bool bLines = false)
+ {
++ if( _nPoints<0 || _nPoints>SAL_MAX_INT32/(2*sizeof(float)) )
++ _nPoints = SAL_MAX_INT32/(2*sizeof(float));
+ nPoints = _nPoints;
+ pPoints = new float [nPoints*2];
+ if (!bLines)
+@@ -238,6 +240,9 @@
+ EMFP_DEBUG (printf ("EMF+\theader: 0x%08x parts: %d\n", header, parts));
+
+ if (parts) {
++ if( parts<0 || parts>SAL_MAX_INT32/sizeof(sal_Int32) )
++ parts = SAL_MAX_INT32/sizeof(sal_Int32);
++
+ combineMode = new sal_Int32 [parts];
+
+ for (int i = 0; i < parts; i ++) {
+@@ -349,6 +354,9 @@
+ s >> surroundColorsNumber;
+ EMFP_DEBUG (printf ("EMF+\tsurround colors: %d\n", surroundColorsNumber));
+
++ if( surroundColorsNumber<0 || surroundColorsNumber>SAL_MAX_INT32/sizeof(::Color) )
++ surroundColorsNumber = SAL_MAX_INT32/sizeof(::Color);
++
+ surroundColors = new ::Color [surroundColorsNumber];
+ for (int i = 0; i < surroundColorsNumber; i++) {
+ s >> color;
+@@ -398,6 +406,8 @@
+ if (additionalFlags & 0x08) {
+ s >> blendPoints;
+ EMFP_DEBUG (printf ("EMF+\tuse blend, points: %d\n", blendPoints));
++ if( blendPoints<0 || blendPoints>SAL_MAX_INT32/(2*sizeof(float)) )
++ blendPoints = SAL_MAX_INT32/(2*sizeof(float));
+ blendPositions = new float [2*blendPoints];
+ blendFactors = blendPositions + blendPoints;
+ for (int i=0; i < blendPoints; i ++) {
+@@ -413,6 +423,10 @@
+ if (additionalFlags & 0x04) {
+ s >> colorblendPoints;
+ EMFP_DEBUG (printf ("EMF+\tuse color blend, points: %d\n", colorblendPoints));
++ if( colorblendPoints<0 || colorblendPoints>SAL_MAX_INT32/sizeof(float) )
++ colorblendPoints = SAL_MAX_INT32/sizeof(float);
++ if( colorblendPoints>SAL_MAX_INT32/sizeof(::Color) )
++ colorblendPoints = SAL_MAX_INT32/sizeof(::Color);
+ colorblendPositions = new float [colorblendPoints];
+ colorblendColors = new ::Color [colorblendPoints];
+ for (int i=0; i < colorblendPoints; i ++) {
+@@ -467,6 +481,8 @@
+ if (additionalFlags & 0x08) {
+ s >> blendPoints;
+ EMFP_DEBUG (printf ("EMF+\tuse blend, points: %d\n", blendPoints));
++ if( blendPoints<0 || blendPoints>SAL_MAX_INT32/(2*sizeof(float)) )
++ blendPoints = SAL_MAX_INT32/(2*sizeof(float));
+ blendPositions = new float [2*blendPoints];
+ blendFactors = blendPositions + blendPoints;
+ for (int i=0; i < blendPoints; i ++) {
+@@ -482,6 +498,10 @@
+ if (additionalFlags & 0x04) {
+ s >> colorblendPoints;
+ EMFP_DEBUG (printf ("EMF+\tuse color blend, points: %d\n", colorblendPoints));
++ if( colorblendPoints<0 || colorblendPoints>SAL_MAX_INT32/sizeof(float) )
++ colorblendPoints = SAL_MAX_INT32/sizeof(float);
++ if( colorblendPoints>SAL_MAX_INT32/sizeof(::Color) )
++ colorblendPoints = SAL_MAX_INT32/sizeof(::Color);
+ colorblendPositions = new float [colorblendPoints];
+ colorblendColors = new ::Color [colorblendPoints];
+ for (int i=0; i < colorblendPoints; i ++) {
+@@ -583,6 +603,8 @@
+
+ if (penFlags & 256) {
+ s >> dashPatternLen;
++ if( dashPatternLen<0 || dashPatternLen>SAL_MAX_INT32/sizeof(float) )
++ dashPatternLen = SAL_MAX_INT32/sizeof(float);
+ dashPattern = new float [dashPatternLen];
+ for (i = 0; i < dashPatternLen; i++)
+ s >> dashPattern [i];
+@@ -596,6 +618,8 @@
+
+ if (penFlags & 1024) {
+ s >> compoundArrayLen;
++ if( compoundArrayLen<0 || compoundArrayLen>SAL_MAX_INT32/sizeof(float) )
++ compoundArrayLen = SAL_MAX_INT32/sizeof(float);
+ compoundArray = new float [compoundArrayLen];
+ for (i = 0; i < compoundArrayLen; i++)
+ s >> compoundArray [i];
+@@ -604,6 +628,8 @@
+
+ if (penFlags & 2048) {
+ s >> customStartCapLen;
++ if( customStartCapLen<0 )
++ customStartCapLen=0;
+ customStartCap = new sal_uInt8 [customStartCapLen];
+ for (i = 0; i < customStartCapLen; i++)
+ s >> customStartCap [i];
+@@ -612,6 +638,8 @@
+
+ if (penFlags & 4096) {
+ s >> customEndCapLen;
++ if( customEndCapLen<0 )
++ customEndCapLen=0;
+ customEndCap = new sal_uInt8 [customEndCapLen];
+ for (i = 0; i < customEndCapLen; i++)
+ s >> customEndCap [i];
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
