check for legal field sizes before reading

Change-Id: I3cdb647e1a057be5bb4b32d119ee5bcbbedf7473

check for legal field sizes before reading
Change-Id: I3cdb647e1a057be5bb4b32d119ee5bcbbedf7473
ad6d83de · Caolán McNamara · 8a7b7b7b · ad6d83de · ad6d83de
Kaydet (Commit) ad6d83de authored Agu 31, 2015 tarafından Caolán McNamara
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 6 deletions

hang-2.met filter/qa/cppunit/data/met/fail/hang-2.met +0 -0

ios2met.cxx filter/source/graphicfilter/ios2met/ios2met.cxx +19 -6

No files found.
--- a/filter/qa/cppunit/data/met/fail/hang-2.met
+++ b/filter/qa/cppunit/data/met/fail/hang-2.met
--- a/filter/source/graphicfilter/ios2met/ios2met.cxx
+++ b/filter/source/graphicfilter/ios2met/ios2met.cxx
@@ -2660,21 +2660,34 @@ void OS2METReader::ReadOS2MET( SvStream & rStreamOS2MET, GDIMetaFile & rGDIMetaF
        pOS2MET->ReadUInt16(nFieldType);
        pOS2MET->SeekRel(3);
-        nPos+=8; nFieldSize-=8;
-        if (pOS2MET->GetError()) break;
+        if (pOS2MET->GetError())
-        if (pOS2MET->IsEof()) {
+            break;
+        if (nFieldType==EndDocumnMagic)
+            break;
+        if (pOS2MET->IsEof() || nFieldSize < 8)
+        {
            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
            ErrorCode=8;
            break;
        }
-        if (nFieldType==EndDocumnMagic) break;
+        nPos+=8; nFieldSize-=8;
+        if (nFieldSize > pOS2MET->remainingSize())
+        {
+            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
+            ErrorCode=8;
+            break;
+        }
        ReadField(nFieldType, nFieldSize);
+        nPos += nFieldSize;
-        nPos+=(sal_uLong)nFieldSize;
+        if (pOS2MET->Tell() > nPos)
-        if (pOS2MET->Tell()>nPos)  {
+        {
            pOS2MET->SetError(SVSTREAM_FILEFORMAT_ERROR);
            ErrorCode=9;
            break;