ooo-build r14428 - in branches/debian-2-4-1: . patches/src680
- From: rengelhard svn gnome org
- To: svn-commits-list gnome org
- Subject: ooo-build r14428 - in branches/debian-2-4-1: . patches/src680
- Date: Wed, 29 Oct 2008 19:49:02 +0000 (UTC)
Author: rengelhard
Date: Wed Oct 29 19:49:01 2008
New Revision: 14428
URL: http://svn.gnome.org/viewvc/ooo-build?rev=14428&view=rev
Log:
2008-10-26 Rene Engelhard <rene debian org>
* patches/dev300/apply,
patches/dev300/cws-sjfixes07.diff: add OOo 2.4.2 security fixes
Added:
branches/debian-2-4-1/patches/src680/cws-sjfixes07.diff
Modified:
branches/debian-2-4-1/ChangeLog
branches/debian-2-4-1/patches/src680/apply
Modified: branches/debian-2-4-1/patches/src680/apply
==============================================================================
--- branches/debian-2-4-1/patches/src680/apply (original)
+++ branches/debian-2-4-1/patches/src680/apply Wed Oct 29 19:49:01 2008
@@ -15,7 +15,7 @@
GStreamer, CWSBackports, WPG, Cleanups, WMF, GnomeVFS, \
Layout, VBABits, VBAObjects, CalcErrors, Store, CJK, GCJ, Lwp, \
OOXML, ImpressFixes, SVGImport, AutoCorrectCapsLock, UnitTesting, \
- PopupRemoval
+ PopupRemoval, Security
LinuxCommon : Common, LayoutDialogs, Defaults, TangoIcons, FontConfigTemporaryHacks, \
FedoraFixes, LinuxOnly, SystemBits, \
@@ -133,6 +133,9 @@
# -------- [ Tag [ >= <tag> etc. ], ] patch sets --------
+[ Security < ooh680-m18 ]
+cws-sjfixes07.diff
+
[ LinuxOnly ]
# Don't stat tons of config files we don't need to read on startup
speed-configmgr.diff, i#56783, michael
Added: branches/debian-2-4-1/patches/src680/cws-sjfixes07.diff
==============================================================================
--- (empty file)
+++ branches/debian-2-4-1/patches/src680/cws-sjfixes07.diff Wed Oct 29 19:49:01 2008
@@ -0,0 +1,504 @@
+Index: source/filter.vcl/wmf/enhwmf.cxx
+===================================================================
+RCS file: /cvs/util/svtools/source/filter.vcl/wmf/enhwmf.cxx,v
+retrieving revision 1.35.130.1
+retrieving revision 1.35.130.1.6.2
+diff -u -r1.35.130.1 -r1.35.130.1.6.2
+--- svtools/source/filter.vcl/wmf/enhwmf.cxx 18 Jan 2008 10:04:18 -0000 1.35.130.1
++++ svtools/source/filter.vcl/wmf/enhwmf.cxx 24 Sep 2008 18:51:05 -0000 1.35.130.1.6.2
+@@ -343,28 +343,34 @@
+ // Anzahl der Polygone:
+ *pWMF >> nPoly >> i;
+
+- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+- pnPoints = new UINT16[ nPoly ];
+-
+- for ( i = 0; i < nPoly; i++ )
++ // taking the amount of points of each polygon, retrieving the total number of points
++ if ( static_cast< sal_uInt32 >(nPoly) < SAL_MAX_UINT32 / sizeof(UINT16) )
+ {
+- *pWMF >> nPoints;
+- pnPoints[ i ] = (UINT16)nPoints;
+- }
++ if ( ( static_cast< sal_uInt32 >( nPoly ) * sizeof(UINT16) ) <= ( nEndPos - pWMF->Tell() ) )
++ {
++ pnPoints = new UINT16[ nPoly ];
+
+- // Polygonpunkte holen:
++ for ( i = 0; i < nPoly; i++ )
++ {
++ *pWMF >> nPoints;
++ pnPoints[ i ] = (UINT16)nPoints;
++ }
+
+- for ( i = 0; i < nPoly; i++ )
+- {
+- Polygon aPoly( pnPoints[ i ] );
+- for( UINT16 k = 0; k < pnPoints[ i ]; k++ )
+- {
+- *pWMF >> nX32 >> nY32;
+- aPoly[ k ] = Point( nX32, nY32 );
++ // Polygonpunkte holen:
++
++ for ( i = 0; ( i < nPoly ) && !pWMF->IsEof(); i++ )
++ {
++ Polygon aPoly( pnPoints[ i ] );
++ for( UINT16 k = 0; k < pnPoints[ i ]; k++ )
++ {
++ *pWMF >> nX32 >> nY32;
++ aPoly[ k ] = Point( nX32, nY32 );
++ }
++ pOut->DrawPolyLine( aPoly, sal_False, bRecordPath );
++ }
++ delete[] pnPoints;
+ }
+- pOut->DrawPolyLine( aPoly, sal_False, bRecordPath );
+ }
+- delete[] pnPoints;
+ }
+ break;
+
+@@ -379,30 +385,35 @@
+ // Anzahl der Polygone:
+ *pWMF >> nPoly >> nGesPoints;
+
+- if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point))
++ if ( ( nGesPoints < SAL_MAX_UINT32 / sizeof(Point) ) && ( nPoly < SAL_MAX_UINT32 / sizeof(UINT16) ) )
+ {
+-
+- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+- pnPoints = new UINT16[ nPoly ];
+-
+- for ( i = 0; i < nPoly; i++ )
+- {
+- *pWMF >> nPoints;
+- pnPoints[ i ] = (UINT16)nPoints;
+- }
+- // Polygonpunkte holen:
+- pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
+-
+- for ( i = 0; i < nGesPoints; i++ )
++ if ( ( nPoly * sizeof(UINT16) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+- *pWMF >> nX32 >> nY32;
+- pPtAry[ i ] = Point( nX32, nY32 );
++ pnPoints = new UINT16[ nPoly ];
++
++ for ( i = 0; i < nPoly; i++ )
++ {
++ *pWMF >> nPoints;
++ pnPoints[ i ] = (UINT16)nPoints;
++ }
++
++ if ( ( nGesPoints * sizeof(Point) ) <= ( nEndPos - pWMF->Tell() ) )
++ {
++ // Polygonpunkte holen:
++ pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
++
++ for ( i = 0; i < nGesPoints; i++ )
++ {
++ *pWMF >> nX32 >> nY32;
++ pPtAry[ i ] = Point( nX32, nY32 );
++ }
++ // PolyPolygon Actions erzeugen
++ PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
++ pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
++ delete[] (char*) pPtAry;
++ }
++ delete[] pnPoints;
+ }
+- // PolyPolygon Actions erzeugen
+- PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
+- pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
+- delete[] (char*) pPtAry;
+- delete[] pnPoints;
+ }
+ }
+ break;
+@@ -839,32 +850,35 @@
+ else
+ {
+ UINT32 nSize = cbBmiSrc + cbBitsSrc + 14;
+- char* pBuf = new char[ nSize ];
+- SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
+- aTmp.ObjectOwnsMemory( TRUE );
+- aTmp << (BYTE)'B'
+- << (BYTE)'M'
+- << (UINT32)cbBitsSrc
+- << (UINT16)0
+- << (UINT16)0
+- << (UINT32)cbBmiSrc + 14;
+- pWMF->Seek( nStart + offBmiSrc );
+- pWMF->Read( pBuf + 14, cbBmiSrc );
+- pWMF->Seek( nStart + offBitsSrc );
+- pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
+- aTmp.Seek( 0 );
+- aBitmap.Read( aTmp, TRUE );
+-
+- // test if it is sensible to crop
+- if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
+- ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
+- ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
+- ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
++ if ( nSize <= ( nEndPos - nStartPos ) )
+ {
+- Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
+- aBitmap.Crop( aCropRect );
++ char* pBuf = new char[ nSize ];
++ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
++ aTmp.ObjectOwnsMemory( TRUE );
++ aTmp << (BYTE)'B'
++ << (BYTE)'M'
++ << (UINT32)cbBitsSrc
++ << (UINT16)0
++ << (UINT16)0
++ << (UINT32)cbBmiSrc + 14;
++ pWMF->Seek( nStart + offBmiSrc );
++ pWMF->Read( pBuf + 14, cbBmiSrc );
++ pWMF->Seek( nStart + offBitsSrc );
++ pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
++ aTmp.Seek( 0 );
++ aBitmap.Read( aTmp, TRUE );
++
++ // test if it is sensible to crop
++ if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
++ ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
++ ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
++ ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
++ {
++ Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
++ aBitmap.Crop( aCropRect );
++ }
++ aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
+ }
+- aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
+ }
+ }
+ break;
+@@ -890,32 +904,35 @@
+ else
+ {
+ UINT32 nSize = cbBmiSrc + cbBitsSrc + 14;
+- char* pBuf = new char[ nSize ];
+- SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
+- aTmp.ObjectOwnsMemory( TRUE );
+- aTmp << (BYTE)'B'
+- << (BYTE)'M'
+- << (UINT32)cbBitsSrc
+- << (UINT16)0
+- << (UINT16)0
+- << (UINT32)cbBmiSrc + 14;
+- pWMF->Seek( nStart + offBmiSrc );
+- pWMF->Read( pBuf + 14, cbBmiSrc );
+- pWMF->Seek( nStart + offBitsSrc );
+- pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
+- aTmp.Seek( 0 );
+- aBitmap.Read( aTmp, TRUE );
+-
+- // test if it is sensible to crop
+- if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
+- ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
+- ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
+- ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
++ if ( nSize <= ( nEndPos - nStartPos ) )
+ {
+- Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
+- aBitmap.Crop( aCropRect );
++ char* pBuf = new char[ nSize ];
++ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
++ aTmp.ObjectOwnsMemory( TRUE );
++ aTmp << (BYTE)'B'
++ << (BYTE)'M'
++ << (UINT32)cbBitsSrc
++ << (UINT16)0
++ << (UINT16)0
++ << (UINT32)cbBmiSrc + 14;
++ pWMF->Seek( nStart + offBmiSrc );
++ pWMF->Read( pBuf + 14, cbBmiSrc );
++ pWMF->Seek( nStart + offBitsSrc );
++ pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
++ aTmp.Seek( 0 );
++ aBitmap.Read( aTmp, TRUE );
++
++ // test if it is sensible to crop
++ if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
++ ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
++ ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
++ ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
++ {
++ Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
++ aBitmap.Crop( aCropRect );
++ }
++ aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
+ }
+- aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
+ }
+ }
+ break;
+@@ -967,55 +984,64 @@
+ DBG_ASSERT( ( nOptions & ( ETO_PDY | ETO_GLYPH_INDEX ) ) == 0, "SJ: ETO_PDY || ETO_GLYPH_INDEX in EMF" );
+
+ Point aPos( ptlReferenceX, ptlReferenceY );
+- if ( nLen )
++ if ( nLen && ( nLen < SAL_MAX_UINT32 / sizeof(sal_Int32) ) )
+ {
+ if ( offDx && (( nCurPos + offDx + nLen * 4 ) <= nNextPos ) )
+ {
+ pWMF->Seek( nCurPos + offDx );
+- pDX = new sal_Int32[ nLen ];
+- sal_uInt32 i;
+- for ( i = 0; i < nLen; i++ )
+- *pWMF >> pDX[ i ];
++ if ( ( nLen * sizeof(sal_uInt32) ) <= ( nEndPos - pWMF->Tell() ) )
++ {
++ pDX = new sal_Int32[ nLen ];
++ sal_uInt32 i;
++ for ( i = 0; i < nLen; i++ )
++ *pWMF >> pDX[ i ];
++ }
+ }
+ pWMF->Seek( nCurPos + nOffString );
+ String aText;
+ if ( bFlag )
+ {
+- sal_Char* pBuf = new sal_Char[ nLen ];
+- pWMF->Read( pBuf, nLen );
+- aText = String( pBuf, (sal_uInt16)nLen, pOut->GetCharSet() );
+- delete[] pBuf;
+-
+- if ( aText.Len() != nLen )
++ if ( nLen <= ( nEndPos - pWMF->Tell() ) )
+ {
+- sal_uInt16 i, j, k;
+- sal_Int32* pOldDx = pDX;
+- pDX = new sal_Int32[ aText.Len() ];
+- for ( i = 0, j = 0; i < aText.Len(); i++ )
++ sal_Char* pBuf = new sal_Char[ nLen ];
++ pWMF->Read( pBuf, nLen );
++ aText = String( pBuf, (sal_uInt16)nLen, pOut->GetCharSet() );
++ delete[] pBuf;
++
++ if ( aText.Len() != nLen )
+ {
+- ByteString aCharacter( aText.GetChar( i ), pOut->GetCharSet() );
+- pDX[ i ] = 0;
+- for ( k = 0; ( k < aCharacter.Len() ) && ( j < nLen ) && ( i < aText.Len() ); k++ )
+- pDX[ i ] += pOldDx[ j++ ];
++ sal_uInt16 i, j, k;
++ sal_Int32* pOldDx = pDX;
++ pDX = new sal_Int32[ aText.Len() ];
++ for ( i = 0, j = 0; i < aText.Len(); i++ )
++ {
++ ByteString aCharacter( aText.GetChar( i ), pOut->GetCharSet() );
++ pDX[ i ] = 0;
++ for ( k = 0; ( k < aCharacter.Len() ) && ( j < nLen ) && ( i < aText.Len() ); k++ )
++ pDX[ i ] += pOldDx[ j++ ];
++ }
++ delete[] pOldDx;
+ }
+- delete[] pOldDx;
+ }
+ }
+ else
+ {
+- sal_Unicode* pBuf = new sal_Unicode[ nLen ];
+- pWMF->Read( pBuf, nLen << 1 );
+-#ifdef OSL_BIGENDIAN
+- sal_Char nTmp, *pTmp = (sal_Char*)( pBuf + nLen );
+- while ( pTmp-- != (sal_Char*)pBuf )
++ if ( ( nLen * sizeof(sal_Unicode) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+- nTmp = *pTmp--;
+- pTmp[ 1 ] = *pTmp;
+- *pTmp = nTmp;
+- }
++ sal_Unicode* pBuf = new sal_Unicode[ nLen ];
++ pWMF->Read( pBuf, nLen << 1 );
++#ifdef OSL_BIGENDIAN
++ sal_Char nTmp, *pTmp = (sal_Char*)( pBuf + nLen );
++ while ( pTmp-- != (sal_Char*)pBuf )
++ {
++ nTmp = *pTmp--;
++ pTmp[ 1 ] = *pTmp;
++ *pTmp = nTmp;
++ }
+ #endif
+- aText = String( pBuf, (xub_StrLen)nLen );
+- delete[] pBuf;
++ aText = String( pBuf, (xub_StrLen)nLen );
++ delete[] pBuf;
++ }
+ }
+ pOut->DrawText( aPos, aText, pDX, bRecordPath, nGfxMode );
+ }
+@@ -1090,25 +1116,32 @@
+ pWMF->SeekRel( 0x10 );
+ // Anzahl der Polygone:
+ *pWMF >> nPoly >> nGesPoints;
+- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+- pnPoints = new UINT16[ nPoly ];
+- for ( i = 0; i < nPoly; i++ )
+- {
+- *pWMF >> nPoints;
+- pnPoints[ i ] = (UINT16)nPoints;
+- }
+- // Polygonpunkte holen:
+- for ( i = 0; i < nPoly; i++ )
++
++ // taking the amount of points of each polygon, retrieving the total number of points
++ if ( static_cast< sal_uInt32 >(nPoly) < SAL_MAX_UINT32 / sizeof(UINT16) )
+ {
+- Polygon aPolygon( pnPoints[ i ] );
+- for ( UINT16 k = 0; k < pnPoints[ i ]; k++ )
++ if ( ( static_cast< sal_uInt32 >( nPoly ) * sizeof(UINT16) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+- *pWMF >> nX16 >> nY16;
+- aPolygon[ k ] = Point( nX16, nY16 );
++ pnPoints = new UINT16[ nPoly ];
++ for ( i = 0; i < nPoly; i++ )
++ {
++ *pWMF >> nPoints;
++ pnPoints[ i ] = (UINT16)nPoints;
++ }
++ // Polygonpunkte holen:
++ for ( i = 0; ( i < nPoly ) && !pWMF->IsEof(); i++ )
++ {
++ Polygon aPolygon( pnPoints[ i ] );
++ for ( UINT16 k = 0; k < pnPoints[ i ]; k++ )
++ {
++ *pWMF >> nX16 >> nY16;
++ aPolygon[ k ] = Point( nX16, nY16 );
++ }
++ pOut->DrawPolyLine( aPolygon, sal_False, bRecordPath );
++ }
++ delete[] pnPoints;
+ }
+- pOut->DrawPolyLine( aPolygon, sal_False, bRecordPath );
+ }
+- delete[] pnPoints;
+ }
+ break;
+
+@@ -1121,28 +1154,33 @@
+ pWMF->SeekRel( 0x10 );
+ // Anzahl der Polygone:
+ *pWMF >> nPoly >> nGesPoints;
+- if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point))
++ if ( ( nGesPoints < SAL_MAX_UINT32 / sizeof(Point) ) && ( nPoly < SAL_MAX_UINT32 / sizeof(UINT16) ) )
+ {
+- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+- pnPoints = new UINT16[ nPoly ];
+- for ( i = 0; i < nPoly; i++ )
++ if ( ( static_cast< sal_uInt32 >( nPoly ) * sizeof( UINT16 ) ) <= ( nEndPos - pWMF->Tell() ) )
+ {
+- *pWMF >> nPoints;
+- pnPoints[ i ] = (UINT16)nPoints;
+- }
+- // Polygonpunkte holen:
+- pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
+- for ( i = 0; i < nGesPoints; i++ )
+- {
+- *pWMF >> nX16 >> nY16;
+- pPtAry[ i ] = Point( nX16, nY16 );
++ pnPoints = new UINT16[ nPoly ];
++ for ( i = 0; i < nPoly; i++ )
++ {
++ *pWMF >> nPoints;
++ pnPoints[ i ] = (UINT16)nPoints;
++ }
++ if ( ( nGesPoints * sizeof(Point) ) <= ( nEndPos - pWMF->Tell() ) )
++ {
++ // Polygonpunkte holen:
++ pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
++ for ( i = 0; i < nGesPoints; i++ )
++ {
++ *pWMF >> nX16 >> nY16;
++ pPtAry[ i ] = Point( nX16, nY16 );
++ }
++
++ // PolyPolygon Actions erzeugen
++ PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
++ pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
++ delete[] (char*) pPtAry;
++ }
++ delete[] pnPoints;
+ }
+-
+- // PolyPolygon Actions erzeugen
+- PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
+- pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
+- delete[] (char*) pPtAry;
+- delete[] pnPoints;
+ }
+ }
+ break;
+@@ -1273,6 +1311,13 @@
+ *pWMF >> nUINT32; // nVersion
+ *pWMF >> nEndPos; // size of metafile
+ nEndPos += nStartPos;
++
++ sal_uInt32 nStrmPos = pWMF->Tell(); // checking if nEndPos is valid
++ pWMF->Seek( STREAM_SEEK_TO_END );
++ if ( pWMF->Tell() < nEndPos )
++ nEndPos = pWMF->Tell();
++ pWMF->Seek( nStrmPos );
++
+ *pWMF >> nRecordCount;
+
+ if ( !nRecordCount )
+Index: source/filter.vcl/wmf/winwmf.cxx
+===================================================================
+RCS file: /cvs/util/svtools/source/filter.vcl/wmf/winwmf.cxx,v
+retrieving revision 1.35
+retrieving revision 1.35.6.1
+diff -u -r1.35 -r1.35.6.1
+--- svtools/source/filter.vcl/wmf/winwmf.cxx 3 Aug 2007 12:28:27 -0000 1.35
++++ svtools/source/filter.vcl/wmf/winwmf.cxx 17 Sep 2008 10:29:36 -0000 1.35.6.1
+@@ -827,6 +827,16 @@
+
+ case W_META_ESCAPE :
+ {
++ // nRecSize has been checked previously to be greater than 3
++ sal_uInt64 nMetaRecSize = static_cast< sal_uInt64 >( nRecSize - 2 ) * 2;
++ sal_uInt64 nMetaRecEndPos = pWMF->Tell() + nMetaRecSize;
++
++ // taking care that nRecSize does not exceed the maximal stream position
++ if ( nMetaRecEndPos > nEndPos )
++ {
++ pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ break;
++ }
+ if ( nRecSize >= 12 ) // minimal escape lenght
+ {
+ sal_uInt16 nMode, nLen, OO;
+@@ -849,7 +859,13 @@
+ sal_uInt32 nCheckSum = rtl_crc32( 0, &nEsc, 4 );
+ #endif
+ sal_Int8* pData = NULL;
+- if ( nEscLen )
++
++ if ( ( static_cast< sal_uInt64 >( nEscLen ) + pWMF->Tell() ) > nMetaRecEndPos )
++ {
++ pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ break;
++ }
++ if ( nEscLen > 0 )
+ {
+ pData = new sal_Int8[ nEscLen ];
+ pWMF->Read( pData, nEscLen );
+@@ -874,12 +890,14 @@
+ >> aPt.Y()
+ >> nStringLen;
+
+- if (nStringLen < STRING_MAXLEN)
++ if ( ( static_cast< sal_uInt64 >( nStringLen ) * sizeof( sal_Unicode ) ) < ( nEscLen - aMemoryStream.Tell() ) )
+ {
+ sal_Unicode* pBuf = aString.AllocBuffer( (xub_StrLen)nStringLen );
+ for ( i = 0; i < nStringLen; i++ )
+ aMemoryStream >> pBuf[ i ];
+ aMemoryStream >> nDXCount;
++ if ( ( static_cast< sal_uInt64 >( nDXCount ) * sizeof( sal_Int32 ) ) >= ( nEscLen - aMemoryStream.Tell() ) )
++ nDXCount = 0;
+ if ( nDXCount )
+ pDXAry = new sal_Int32[ nDXCount ];
+ for ( i = 0; i < nDXCount; i++ )
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
