diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2021-04-03 19:49:24 +0100 |
|---|---|---|
| committer | Xisco Fauli <xiscofauli@libreoffice.org> | 2021-04-06 10:17:14 +0200 |
| commit | a7029df783809d19a814a1552b360d6664c2efd1 (patch) | |
| tree | a4910c6ed5eee6d0faa023d44ddc367065b077d4 /emfio | |
| parent | tdf#141318 Dialog::GetOptimalSize not including border if called before Show (diff) | |
| download | core-a7029df783809d19a814a1552b360d6664c2efd1.tar.gz core-a7029df783809d19a814a1552b360d6664c2efd1.zip | |
pass ImplReadRegion the remaining len of record available for consumption
not the total which includes consumed part
Change-Id: I63b01013a31e6a3f1dcfe895c02a4fa049bb8fe6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113562
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
Diffstat (limited to 'emfio')
| -rw-r--r-- | emfio/source/reader/emfreader.cxx | 97 |
1 files changed, 59 insertions, 38 deletions
diff --git a/emfio/source/reader/emfreader.cxx b/emfio/source/reader/emfreader.cxx index 24fcf9095e3e..fd73e77fe19b 100644 --- a/emfio/source/reader/emfreader.cxx +++ b/emfio/source/reader/emfreader.cxx @@ -332,32 +332,33 @@ bool ImplReadRegion( tools::PolyPolygon& rPolyPoly, SvStream& rStream, sal_uInt3 if (nLen < 32) // 32 bytes - Size of RegionDataHeader return false; - sal_uInt32 nHdSize, nType, nCountRects, nRgnSize, i; + sal_uInt32 nHdSize, nType, nCountRects, nRgnSize; rStream.ReadUInt32(nHdSize); rStream.ReadUInt32(nType); rStream.ReadUInt32(nCountRects); rStream.ReadUInt32(nRgnSize); - if (!rStream.good() || nCountRects == 0 || nType != RDH_RECTANGLES) - return false; - //bounds of the region sal_Int32 nLeft, nTop, nRight, nBottom; rStream.ReadInt32(nLeft); rStream.ReadInt32(nTop); rStream.ReadInt32(nRight); rStream.ReadInt32(nBottom); + + if (!rStream.good() || nCountRects == 0 || nType != RDH_RECTANGLES) + return false; + SAL_INFO("emfio", "\t\tLeft: " << nLeft << ", top: " << nTop << ", right: " << nRight << ", bottom: " << nBottom); + nLen -= 32; + sal_uInt32 nSize; if (o3tl::checked_multiply<sal_uInt32>(nCountRects, 16, nSize)) return false; - if (o3tl::checked_add<sal_uInt32>(nSize, nHdSize - 16, nSize)) - return false; if (nLen < nSize) return false; - for (i = 0; i < nCountRects; i++) + for (sal_uInt32 i = 0; i < nCountRects; ++i) { rStream.ReadInt32(nLeft); rStream.ReadInt32(nTop); @@ -1422,24 +1423,30 @@ namespace emfio case EMR_EXTSELECTCLIPRGN : { - sal_Int32 nClippingMode(0), cbRgnData(0); - mpInputStream->ReadInt32(cbRgnData); - mpInputStream->ReadInt32(nClippingMode); - - // This record's region data should be ignored if mode - // is RGN_COPY - see EMF spec section 2.3.2.2 - if (nClippingMode == RGN_COPY) - { - SetDefaultClipPath(); - } + sal_uInt32 nRemainingRecSize = nRecSize - 8; + if (nRemainingRecSize < 8) + bStatus = false; else { - tools::PolyPolygon aPolyPoly; - if (cbRgnData) - ImplReadRegion(aPolyPoly, *mpInputStream, nRecSize); - SetClipPath(aPolyPoly, nClippingMode, false); + sal_Int32 nClippingMode(0), cbRgnData(0); + mpInputStream->ReadInt32(cbRgnData); + mpInputStream->ReadInt32(nClippingMode); + nRemainingRecSize -= 8; + + // This record's region data should be ignored if mode + // is RGN_COPY - see EMF spec section 2.3.2.2 + if (nClippingMode == RGN_COPY) + { + SetDefaultClipPath(); + } + else + { + tools::PolyPolygon aPolyPoly; + if (cbRgnData) + ImplReadRegion(aPolyPoly, *mpInputStream, nRemainingRecSize); + SetClipPath(aPolyPoly, nClippingMode, false); + } } - } break; @@ -1909,30 +1916,44 @@ namespace emfio case EMR_FILLRGN : { - sal_uInt32 nRgnDataSize; - tools::PolyPolygon aPolyPoly; - mpInputStream->SeekRel( 0x10 ); // RectL bounds - mpInputStream->ReadUInt32( nRgnDataSize ).ReadUInt32( nIndex ); - - if ( ImplReadRegion( aPolyPoly, *mpInputStream, nRecSize ) ) + sal_uInt32 nRemainingRecSize = nRecSize - 8; + if (nRemainingRecSize < 24) + bStatus = false; + else { - Push(); - SelectObject( nIndex ); - DrawPolyPolygon( aPolyPoly ); - Pop(); + sal_uInt32 nRgnDataSize; + tools::PolyPolygon aPolyPoly; + mpInputStream->SeekRel(16); // RectL bounds + mpInputStream->ReadUInt32( nRgnDataSize ).ReadUInt32( nIndex ); + nRemainingRecSize -= 24; + + if (ImplReadRegion(aPolyPoly, *mpInputStream, nRemainingRecSize)) + { + Push(); + SelectObject( nIndex ); + DrawPolyPolygon( aPolyPoly ); + Pop(); + } } } break; case EMR_PAINTRGN : { - sal_uInt32 nRgnDataSize; - tools::PolyPolygon aPolyPoly; - mpInputStream->SeekRel( 0x10 ); // Skipping RectL bounds - mpInputStream->ReadUInt32( nRgnDataSize ); + sal_uInt32 nRemainingRecSize = nRecSize - 8; + if (nRemainingRecSize < 20) + bStatus = false; + else + { + sal_uInt32 nRgnDataSize; + tools::PolyPolygon aPolyPoly; + mpInputStream->SeekRel(16); // Skipping RectL bounds + mpInputStream->ReadUInt32( nRgnDataSize ); + nRemainingRecSize -= 20; - if ( ImplReadRegion( aPolyPoly, *mpInputStream, nRecSize ) ) - DrawPolyPolygon( aPolyPoly ); + if (ImplReadRegion(aPolyPoly, *mpInputStream, nRemainingRecSize)) + DrawPolyPolygon( aPolyPoly ); + } } break; |