diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2022-01-13 16:57:48 +0000 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2022-04-01 14:45:37 +0200 |
| commit | c3790ca7a6a29c1433a411b578512691546697b3 (patch) | |
| tree | 1a6d1799a14a8b427de302c3a017354e22e640e2 | |
| parent | ofz: Use-of-uninitialized-value (diff) | |
| download | core-c3790ca7a6a29c1433a411b578512691546697b3.tar.gz core-c3790ca7a6a29c1433a411b578512691546697b3.zip | |
ofz#43577 valid reclen must be >= 20
Change-Id: I454bff4acfcd85701a7f094a8bd76898825e9ce2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128388
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 444477a07bcaf59181dbbc719b913566091deadc)
ofz: Use-of-uninitialized-value
Change-Id: I6b768b80d972c5379005efecfb803463ca648b4b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128644
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 7b37a1a5144a3a4c8b0803b7e2da81e9e108bf66)
ofz: Undefined-Shift
Change-Id: Ib935359071ef9e390aa3d6c9713ed48241ad18e6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129066
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit e863b90a0e5fc90c3b824e4b0012f9389b87a3ac)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129183
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 7c8b41bc322720dc9434fbef1f10a6740913165e)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129416
Tested-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
(cherry picked from commit 7664ec93edc190ae0bc18b5793763fde5cec8d62)
| -rw-r--r-- | lotuswordpro/source/filter/lwpdrawobj.cxx | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 7240a57d13b9..7bcfcf155e89 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -1352,14 +1352,21 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( m_aBmpRec.nTranslation ); m_pStream->ReadUInt16( m_aBmpRec.nRotation ); + if (m_aObjHeader.nRecLen < 20) + throw BadRead(); + // 20 == length of draw-specific fields. // 14 == length of bmp file header. m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14; - m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] ); BmpInfoHeader2 aInfoHeader2; m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen ); + if (!m_pStream->good()) + throw BadRead(); + + m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] ); + sal_uInt32 N; sal_uInt32 rgbTableSize; @@ -1371,7 +1378,7 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; - if (N == 24) + if (N >= 16) { rgbTableSize = 0; } @@ -1387,7 +1394,7 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; - if (N == 24) + if (N >= 16) { rgbTableSize = 0; } |