mir/libreoffice
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ofz: more check bounds on read

Browse Source 
Change-Id: I92b10aeab34cb6a78deff1d4b54545c8f506113c
This commit is contained in:
Caolán McNamara
2017-04-02 12:03:38 +01:00
parent d9dc5dcd39
commit af45b3d48e
3 changed files with 14 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
filter/source/graphicfilter/icgm/cgm.cxx
View File

@@ -99,7 +99,7 @@ sal_uInt32 CGM::GetBackGroundColor()
sal_uInt32 CGM::ImplGetUI16( sal_uInt32 /*nAlign*/ ) sal_uInt32 CGM::ImplGetUI16( sal_uInt32 /*nAlign*/ )
{ {
sal_uInt8* pSource = mpSource + mnParaSize; sal_uInt8* pSource = mpSource + mnParaSize;
if (pSource + 2 > mpEndValidSource) if (mpEndValidSource - pSource < 2)
throw css::uno::Exception("attempt to read past end of input", nullptr); throw css::uno::Exception("attempt to read past end of input", nullptr);
mnParaSize += 2; mnParaSize += 2;
return ( pSource[ 0 ] << 8 ) + pSource[ 1 ]; return ( pSource[ 0 ] << 8 ) + pSource[ 1 ];
@@ -113,7 +113,7 @@ sal_uInt8 CGM::ImplGetByte( sal_uInt32 nSource, sal_uInt32 nPrecision )
sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision ) sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision )
{ {
sal_uInt8* pSource = mpSource + mnParaSize; sal_uInt8* pSource = mpSource + mnParaSize;
if (pSource + nPrecision > mpEndValidSource) if (mpEndValidSource - pSource < nPrecision)
throw css::uno::Exception("attempt to read past end of input", nullptr); throw css::uno::Exception("attempt to read past end of input", nullptr);
mnParaSize += nPrecision; mnParaSize += nPrecision;
switch( nPrecision ) switch( nPrecision )
@@ -145,7 +145,7 @@ sal_Int32 CGM::ImplGetI( sal_uInt32 nPrecision )
sal_uInt32 CGM::ImplGetUI( sal_uInt32 nPrecision ) sal_uInt32 CGM::ImplGetUI( sal_uInt32 nPrecision )
{ {
sal_uInt8* pSource = mpSource + mnParaSize; sal_uInt8* pSource = mpSource + mnParaSize;
if (pSource + nPrecision > mpEndValidSource) if (mpEndValidSource - pSource < nPrecision)
throw css::uno::Exception("attempt to read past end of input", nullptr); throw css::uno::Exception("attempt to read past end of input", nullptr);
mnParaSize += nPrecision; mnParaSize += nPrecision;
switch( nPrecision ) switch( nPrecision )
@@ -200,7 +200,7 @@ double CGM::ImplGetFloat( RealPrecision eRealPrecision, sal_uInt32 nRealSize )
const bool bCompatible = false; const bool bCompatible = false;
#endif #endif
if (mpSource + mnParaSize + nRealSize > mpEndValidSource) if (mpEndValidSource - (mpSource + mnParaSize) < nRealSize)
throw css::uno::Exception("attempt to read past end of input", nullptr); throw css::uno::Exception("attempt to read past end of input", nullptr);
if ( bCompatible ) if ( bCompatible )

13
filter/source/graphicfilter/icgm/class1.cxx
View File

@@ -176,8 +176,11 @@ void CGM::ImplDoClass1()
{ {
while ( mnParaSize < mnElementSize ) while ( mnParaSize < mnElementSize )
{ {
sal_uInt32 nSize; sal_uInt32 nSize = ImplGetUI(1);
nSize = ImplGetUI( 1 );
if (mpEndValidSource - (mpSource + mnParaSize) < nSize)
throw css::uno::Exception("attempt to read past end of input", nullptr);
pElement->aFontList.InsertName( mpSource + mnParaSize, nSize ); pElement->aFontList.InsertName( mpSource + mnParaSize, nSize );
mnParaSize += nSize; mnParaSize += nSize;
} }
@@ -187,10 +190,8 @@ void CGM::ImplDoClass1()
{ {
while ( mnParaSize < mnElementSize ) while ( mnParaSize < mnElementSize )
{ {
sal_uInt32 nCharSetType; sal_uInt32 nCharSetType = ImplGetUI16();
sal_uInt32 nSize; sal_uInt32 nSize = ImplGetUI(1);
nCharSetType = ImplGetUI16();
nSize = ImplGetUI( 1 );
pElement->aFontList.InsertCharSet( (CharSetType)nCharSetType, mpSource + mnParaSize, nSize ); pElement->aFontList.InsertCharSet( (CharSetType)nCharSetType, mpSource + mnParaSize, nSize );
mnParaSize += nSize; mnParaSize += nSize;
} }

6
filter/source/graphicfilter/icgm/class4.cxx
View File

@@ -186,7 +186,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16( 4 ); sal_uInt32 nType = ImplGetUI16( 4 );
sal_uInt32 nSize = ImplGetUI( 1 ); sal_uInt32 nSize = ImplGetUI( 1 );
if (mpSource + mnParaSize + nSize > mpEndValidSource) if (mpEndValidSource - (mpSource + mnParaSize) < nSize)
throw css::uno::Exception("attempt to read past end of input", nullptr); throw css::uno::Exception("attempt to read past end of input", nullptr);
mpSource[mnParaSize + nSize] = 0; mpSource[mnParaSize + nSize] = 0;
@@ -224,7 +224,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16(4); sal_uInt32 nType = ImplGetUI16(4);
sal_uInt32 nSize = ImplGetUI(1); sal_uInt32 nSize = ImplGetUI(1);
if (mpSource + mnParaSize + nSize > mpEndValidSource) if (mpEndValidSource - (mpSource + mnParaSize) < nSize)
throw css::uno::Exception("attempt to read past end of input", nullptr); throw css::uno::Exception("attempt to read past end of input", nullptr);
mpSource[ mnParaSize + nSize ] = 0; mpSource[ mnParaSize + nSize ] = 0;
@@ -242,7 +242,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16( 4 ); sal_uInt32 nType = ImplGetUI16( 4 );
sal_uInt32 nSize = ImplGetUI( 1 ); sal_uInt32 nSize = ImplGetUI( 1 );
if (mpSource + mnParaSize + nSize > mpEndValidSource) if (mpEndValidSource - (mpSource + mnParaSize) < nSize)
throw css::uno::Exception("attempt to read past end of input", nullptr); throw css::uno::Exception("attempt to read past end of input", nullptr);
mpSource[ mnParaSize + nSize ] = 0; mpSource[ mnParaSize + nSize ] = 0;