From 94ffb720b889c51665ebb789d84aee3b3bacb456 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Fri, 27 Jan 2017 10:48:56 +0000 Subject: [PATCH] ofz: tidy up eps preview import a) check that the remaining stream length is >= the 14 bytes that are unconditionally skipped b) make the initial security count the min of the arbitrary 100 and the remaining stream len less that 14 bytes c) tweak ImplGetNumber not to reduce nSecurityCount if its already 0 Change-Id: Ifffa6d02d492affd578fb48007704457ad635b39 --- filter/source/graphicfilter/ieps/ieps.cxx | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/filter/source/graphicfilter/ieps/ieps.cxx b/filter/source/graphicfilter/ieps/ieps.cxx index 989bc4392a98..33a4ac9fa71d 100644 --- a/filter/source/graphicfilter/ieps/ieps.cxx +++ b/filter/source/graphicfilter/ieps/ieps.cxx @@ -74,8 +74,11 @@ static long ImplGetNumber(sal_uInt8* &rBuf, sal_uInt32& nSecurityCount) bool bValid = true; bool bNegative = false; long nRetValue = 0; - while ( ( --nSecurityCount ) && ( ( *rBuf == ' ' ) || ( *rBuf == 0x9 ) ) ) - rBuf++; + while (nSecurityCount && (*rBuf == ' ' || *rBuf == 0x9)) + { + ++rBuf; + --nSecurityCount; + } while ( nSecurityCount && ( *rBuf != ' ' ) && ( *rBuf != 0x9 ) && ( *rBuf != 0xd ) && ( *rBuf != 0xa ) ) { switch ( *rBuf ) @@ -708,12 +711,13 @@ ipsGraphicImport( SvStream & rStream, Graphic & rGraphic, FilterConfigItem* ) } sal_uInt8* pDest = ImplSearchEntry( pBuf.get(), reinterpret_cast("%%BoundingBox:"), nBytesRead, 14 ); - if ( pDest ) + sal_uInt32 nRemainingBytes = pDest ? (nBytesRead - (pDest - pBuf.get())) : 0; + if (nRemainingBytes >= 14) { - nSecurityCount = 100; + pDest += 14; + nSecurityCount = std::min(nRemainingBytes - 14, 100); long nNumb[4]; nNumb[0] = nNumb[1] = nNumb[2] = nNumb[3] = 0; - pDest += 14; for ( int i = 0; ( i < 4 ) && nSecurityCount; i++ ) { nNumb[ i ] = ImplGetNumber(pDest, nSecurityCount);