Kaydet (Commit) 5cfbc855 authored tarafından Caolán McNamara's avatar Caolán McNamara

ofz#4318 Integer-overflow

Change-Id: I7ad1f39d82e44e4fa8dd78700b25deea0c19c81a
Reviewed-on: https://gerrit.libreoffice.org/44913Tested-by: 's avatarJenkins <ci@libreoffice.org>
Reviewed-by: 's avatarCaolán McNamara <caolanm@redhat.com>
Tested-by: 's avatarCaolán McNamara <caolanm@redhat.com>
üst 0f0049d7
...@@ -1259,12 +1259,15 @@ namespace emfio ...@@ -1259,12 +1259,15 @@ namespace emfio
mpInputStream->ReadUInt32( BkColorSrc ).ReadUInt32( iUsageSrc ).ReadUInt32( offBmiSrc ).ReadUInt32( cbBmiSrc ) mpInputStream->ReadUInt32( BkColorSrc ).ReadUInt32( iUsageSrc ).ReadUInt32( offBmiSrc ).ReadUInt32( cbBmiSrc )
.ReadUInt32( offBitsSrc ).ReadUInt32( cbBitsSrc ).ReadInt32( cxSrc ).ReadInt32( cySrc ) ; .ReadUInt32( offBitsSrc ).ReadUInt32( cbBitsSrc ).ReadInt32( cxSrc ).ReadInt32( cySrc ) ;
tools::Rectangle aRect( Point( xDest, yDest ), Size( cxDest+1, cyDest+1 ) ); if ( (cbBitsSrc > (SAL_MAX_UINT32 - 14)) || ((SAL_MAX_UINT32 - 14) - cbBitsSrc < cbBmiSrc) ||
cxDest == SAL_MAX_INT32 || cyDest == SAL_MAX_INT32 )
if ( (cbBitsSrc > (SAL_MAX_UINT32 - 14)) || ((SAL_MAX_UINT32 - 14) - cbBitsSrc < cbBmiSrc) ) {
bStatus = false; bStatus = false;
}
else else
{ {
tools::Rectangle aRect(Point(xDest, yDest), Size(cxDest + 1, cyDest + 1));
const sal_uInt32 nSourceSize = cbBmiSrc + cbBitsSrc + 14; const sal_uInt32 nSourceSize = cbBmiSrc + cbBitsSrc + 14;
bool bSafeRead = nSourceSize <= (mnEndPos - mnStartPos); bool bSafeRead = nSourceSize <= (mnEndPos - mnStartPos);
sal_uInt32 nDeltaToDIB5HeaderSize(0); sal_uInt32 nDeltaToDIB5HeaderSize(0);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment