ofz: compare against available data len

Change-Id: I407e104e08aa393d66ed5c6baf5e0b0ab2d361bd Reviewed-on: https://gerrit.libreoffice.org/44688Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: David Tardon <dtardon@redhat.com>

ofz: compare against available data len
Change-Id: I407e104e08aa393d66ed5c6baf5e0b0ab2d361bd Reviewed-on: https://gerrit.libreoffice.org/44688Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: David Tardon <dtardon@redhat.com>
7e357283 · Caolán McNamara · David Tardon · e02f068b · 7e357283
Kaydet (Commit) 7e357283 authored Kas 13, 2017 tarafından Caolán McNamara Kaydeden (comit) David Tardon Kas 20, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 1 deletion

class7.cxx filter/source/graphicfilter/icgm/class7.cxx +17 -1

No files found.
--- a/filter/source/graphicfilter/icgm/class7.cxx
+++ b/filter/source/graphicfilter/icgm/class7.cxx
@@ -30,16 +30,23 @@ void CGM::ImplDoClass7()
        case 0x01 : /*Message */break;
        case 0x02 :
        {
-            sal_uInt8*  pAppData = mpSource + 12;
+            if (mpEndValidSource - mpSource < 12)
+                throw css::uno::Exception("attempt to read past end of input", nullptr);
+
            sal_uInt16* pTemp = reinterpret_cast<sal_uInt16*>(mpSource);
            sal_uInt16 nOpcode = pTemp[ 4 ];

+            sal_uInt8* pAppData = mpSource + 12;
+
            if ( mpChart || ( nOpcode == 0 ) )
            {
                switch ( nOpcode )
                {
                    case 0x000 : /*AppData - Beginning of File Opcodes*/
                    {
+                        if (mpEndValidSource - pAppData < 4)
+                            throw css::uno::Exception("attempt to read past end of input", nullptr);
+
                        if ( mpChart == nullptr )
                            mpChart = new CGMChart;
                        mpChart->mnCurrentFileType = pAppData[ 3 ];
@@ -68,6 +75,9 @@ void CGM::ImplDoClass7()
                    case 0x262 : /*AppData - ENDGROUP */break;
                    case 0x264 : /*AppData - DATANODE*/
                    {
+                        if (static_cast<size_t>(mpEndValidSource - pAppData) < sizeof(DataNode))
+                            throw css::uno::Exception("attempt to read past end of input", nullptr);
+
                        mpChart->mDataNode[ 0 ] = *reinterpret_cast<DataNode*>( pAppData );
                        sal_Int8 nZoneEnum = mpChart->mDataNode[ 0 ].nZoneEnum;
                        if ( nZoneEnum && ( nZoneEnum <= 6 ) )
@@ -76,6 +86,9 @@ void CGM::ImplDoClass7()
                    break;
                    case 0x2BE : /*AppData - SHWSLIDEREC*/
                    {
+                        if (mpEndValidSource - pAppData < 16)
+                            throw css::uno::Exception("attempt to read past end of input", nullptr);
+
                        if ( pAppData[ 16 ] == 0 )      // a blank template ?
                        {
                            if ( pAppData[ 2 ] == 46 )
@@ -101,6 +114,9 @@ void CGM::ImplDoClass7()
                    case 0x2CA : /*AppData - SHWAPP */break;
                    case 0x320 : /*AppData - TEXT*/
                    {
+                        if (mpEndValidSource - pAppData < 9)
+                            throw css::uno::Exception("attempt to read past end of input", nullptr);
+
                        TextEntry* pTextEntry = new TextEntry;
                        pTextEntry->nTypeOfText = *(reinterpret_cast<sal_uInt16*>( pAppData ) );
                        pTextEntry->nRowOrLineNum = *(reinterpret_cast<sal_uInt16*>( pAppData + 2 ) );