commit 721bc6dafbed2185a9aedae35a34d3395eaed0bc
author Caolán McNamara <caolanm@redhat.com> Sun Dec 23 17:26:36 2018 +0000
committer Caolán McNamara <caolanm@redhat.com> Sun Dec 23 22:23:22 2018 +0100
tree a0add649ce3ff07fc53eea20153dc745fbcb06d0
parent f877d2882e4d257136ef2de901ff4f71b71916bd

Related: tdf#122204 clarify 0xFFF0 size meaning

Change-Id: I71432b1a705d54f44c63f3734281a87b155c6f10
Reviewed-on: https://gerrit.libreoffice.org/65582
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

filter/source/msfilter/msdffimp.cxx

diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx
index 8f79471..06deedf 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -2157,11 +2157,13 @@
            {
                sal_uInt16 nNumElemMemVert = 0;
                rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert );
                // If this value is 0xFFF0 then this record is an array of truncated 8 byte elements. Only the 4
                // low-order bytes are recorded
                if (nElemSizeVert == 0xFFF0)
                    nElemSizeVert = 4;
            }
            if (nElemSizeVert != 8)
                nElemSizeVert = 4;
            //sanity check that the stream is long enough to fulfill nNumElem * nElemSize;
            bool bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert;
            bool bImport = nElemSizeVert && (rIn.remainingSize() / nElemSizeVert >= nNumElemVert);
            if (bImport)
            {
                aCoordinates.realloc( nNumElemVert );
@@ -2390,15 +2392,16 @@
            sal_uInt16 nElemSizeVert = 8;

            if ( SeekToContent( DFF_Prop_connectorPoints, rIn ) )
                rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert );

            bool bImport = false;
            if (nNumElemVert && nElemSizeVert)
            {
                //sanity check that the stream is long enough to fulfill nNumElemVert * nElemSizeVert;
                bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert;
                rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert );
                // If this value is 0xFFF0 then this record is an array of truncated 8 byte elements. Only the 4
                // low-order bytes are recorded
                if (nElemSizeVert == 0xFFF0)
                    nElemSizeVert = 4;
            }

            // sanity check that the stream is long enough to fulfill nNumElemVert * nElemSizeVert;
            bool bImport = nElemSizeVert && (rIn.remainingSize() / nElemSizeVert >= nNumElemVert);
            if (bImport)
            {
                aGluePoints.realloc( nNumElemVert );
@@ -5513,13 +5516,15 @@
        if (SeekToContent(DFF_Prop_pWrapPolygonVertices, rSt))
        {
            pTextImpRec->pWrapPolygon.reset();
            sal_uInt16 nNumElemVert(0), nNumElemMemVert(0), nElemSizeVert(0);
            sal_uInt16 nNumElemVert(0), nNumElemMemVert(0), nElemSizeVert(8);
            rSt.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert ).ReadUInt16( nElemSizeVert );
            bool bOk = false;
            if (nNumElemVert && ((nElemSizeVert == 8) || (nElemSizeVert == 4)))
            {
                bOk = rSt.remainingSize() / nElemSizeVert >= nNumElemVert;
            }
            // If this value is 0xFFF0 then this record is an array of truncated 8 byte elements. Only the 4
            // low-order bytes are recorded
            if (nElemSizeVert == 0xFFF0)
                nElemSizeVert = 4;

            // sanity check that the stream is long enough to fulfill nNumElemVert * nElemSizeVert;
            bool bOk = nElemSizeVert && (rSt.remainingSize() / nElemSizeVert >= nNumElemVert);
            if (bOk)
            {
                pTextImpRec->pWrapPolygon.reset(new tools::Polygon(nNumElemVert));