1 files changed, 67 insertions, 56 deletions

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx
index f2c226a7d767..d1e496481c3d 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -499,7 +499,7 @@ void LwpDrawPolyLine::Read()
     m_pStream->ReadUChar( m_aPolyLineRec.aPenColor.unused );
     m_pStream->ReadUInt16( m_aPolyLineRec.nNumPoints );
 
-    if (m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4)
+    if (!m_pStream->good() || m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4)
         throw BadRead();
 
     m_pVector.reset( new SdwPoint[m_aPolyLineRec.nNumPoints] );
@@ -579,7 +579,7 @@ void LwpDrawPolygon::Read()
     ReadClosedObjStyle();
     m_pStream->ReadUInt16( m_nNumPoints );
 
-    if (m_nNumPoints > m_pStream->remainingSize() / 4)
+    if (!m_pStream->good() || m_nNumPoints > m_pStream->remainingSize() / 4)
         throw BadRead();
 
     m_pVector.reset( new SdwPoint[m_nNumPoints] );
@@ -1043,6 +1043,9 @@ void LwpDrawTextBox::Read()
     m_pStream->ReadInt16( m_aTextRec.nTextRotation );
     m_pStream->ReadInt16( m_aTextRec.nTextExtraSpacing );
 
+    if (!m_pStream->good())
+        throw BadRead();
+
     // some draw files in version 1.2 have an extra byte following '\0'.
     // can't rely on that, so read in the whole string into memory.
 
@@ -1089,6 +1092,9 @@ XFFrame* LwpDrawTextBox::CreateDrawObj(const OUString& rStyleName )
         aEncoding = LwpCharSetMgr::GetTextCharEncoding();
     }
 
+    if (TextLength < 2)
+        throw BadRead();
+
     XFParagraph* pXFPara = new XFParagraph();
     pXFPara->Add(OUString(reinterpret_cast<char*>(m_aTextRec.pTextString), (TextLength-2), aEncoding));
     pXFPara->SetStyleName(rStyleName);
@@ -1194,17 +1200,17 @@ void LwpDrawTextArt::Read()
     m_pStream->ReadInt16( m_aTextArtRec.nRotation );
 
     sal_uInt16 nPointNumber;
-    sal_Int16 nX, nY;
     m_pStream->ReadUInt16( nPointNumber );
 
     size_t nPoints = nPointNumber*3+1;
-    if (nPoints > m_pStream->remainingSize() / 4)
+    if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4)
         throw BadRead();
 
     m_aTextArtRec.aPath[0].n = nPointNumber;
     m_aTextArtRec.aPath[0].pPts = new SdwPoint[nPoints];
     for (size_t nPt = 0; nPt < nPoints; ++nPt)
     {
+        sal_Int16 nX, nY;
         m_pStream->ReadInt16( nX );
         m_pStream->ReadInt16( nY );
         m_aTextArtRec.aPath[0].pPts[nPt].x = nX;
@@ -1214,13 +1220,14 @@ void LwpDrawTextArt::Read()
     m_pStream->ReadUInt16( nPointNumber );
 
     nPoints = nPointNumber*3+1;
-    if (nPoints > m_pStream->remainingSize() / 4)
+    if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4)
         throw BadRead();
 
     m_aTextArtRec.aPath[1].n = nPointNumber;
     m_aTextArtRec.aPath[1].pPts = new SdwPoint[nPoints];
     for (size_t nPt = 0; nPt < nPoints; ++nPt)
     {
+        sal_Int16 nX, nY;
         m_pStream->ReadInt16( nX );
         m_pStream->ReadInt16( nY );
         m_aTextArtRec.aPath[1].pPts[nPt].x = nX;
@@ -1248,8 +1255,12 @@ void LwpDrawTextArt::Read()
                                                     - (m_aTextArtRec.aPath[1].n*3 + 1)*4;
 
 
+    if (!m_pStream->good())
+        throw BadRead();
     if (m_aTextArtRec.nTextLen > m_pStream->remainingSize())
         throw BadRead();
+    if (m_aTextArtRec.nTextLen < 1)
+        throw BadRead();
 
     m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen];
     m_pStream->ReadBytes(m_aTextArtRec.pTextString, m_aTextArtRec.nTextLen);
@@ -1344,6 +1355,22 @@ LwpDrawBitmap::~LwpDrawBitmap()
 {
 }
 
+static bool IsValid(const BmpInfoHeader2& rHeader)
+{
+    if (rHeader.nPlanes != 1)
+        return false;
+
+    if (rHeader.nBitCount != 0 && rHeader.nBitCount != 1 &&
+        rHeader.nBitCount != 4 && rHeader.nBitCount != 8 &&
+        rHeader.nBitCount != 16 && rHeader.nBitCount != 24 &&
+        rHeader.nBitCount != 32)
+    {
+        return false;
+    }
+
+    return true;
+}
+
 /**
  * @descr   reading function of class LwpDrawBitmap
  */
@@ -1353,25 +1380,38 @@ void LwpDrawBitmap::Read()
     m_pStream->ReadUInt16( m_aBmpRec.nRotation );
 
     // 20 == length of draw-specific fields.
-    // 14 == length of bmp file header.
-    m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
-    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+    if (m_aObjHeader.nRecLen < 20)
+        throw BadRead();
+
+    sal_uInt64 nBmpPos = m_pStream->Tell();
+    sal_uInt64 nBmpLen =
+        std::min<sal_uInt64>(m_aObjHeader.nRecLen - 20, m_pStream->remainingSize());
 
     BmpInfoHeader2 aInfoHeader2;
     m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
 
+    if (!m_pStream->good() || nBmpLen < aInfoHeader2.nHeaderLen)
+        throw BadRead();
+
     sal_uInt32 N;
     sal_uInt32 rgbTableSize;
 
     if (aInfoHeader2.nHeaderLen == sizeof(BmpInfoHeader))
     {
-        m_pStream->ReadUInt32( aInfoHeader2.nWidth );
-        m_pStream->ReadUInt32( aInfoHeader2.nHeight );
+        sal_uInt16 nTmp;
+
+        m_pStream->ReadUInt16( nTmp );
+        aInfoHeader2.nWidth = nTmp;
+        m_pStream->ReadUInt16( nTmp );
+        aInfoHeader2.nHeight = nTmp;
         m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
         m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
 
+        if (!m_pStream->good() || !IsValid(aInfoHeader2))
+            throw BadRead();
+
         N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
-        if (N == 24)
+        if (N >= 16)
         {
             rgbTableSize = 0;
         }
@@ -1380,14 +1420,18 @@ void LwpDrawBitmap::Read()
             rgbTableSize = 3 * (1 << N);
         }
     }
-    else
+    else if (aInfoHeader2.nHeaderLen >= sizeof(BmpInfoHeader2))
     {
         m_pStream->ReadUInt32( aInfoHeader2.nWidth );
         m_pStream->ReadUInt32( aInfoHeader2.nHeight );
         m_pStream->ReadUInt16( aInfoHeader2.nPlanes );
         m_pStream->ReadUInt16( aInfoHeader2.nBitCount );
+
+        if (!m_pStream->good() || !IsValid(aInfoHeader2))
+            throw BadRead();
+
         N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
-        if (N == 24)
+        if (N >= 16)
         {
             rgbTableSize = 0;
         }
@@ -1395,8 +1439,14 @@ void LwpDrawBitmap::Read()
         {
             rgbTableSize = 4 * (1 << N);
         }
-
     }
+    else
+    {
+        throw BadRead();
+    }
+
+    m_aBmpRec.nFileSize = static_cast<sal_uInt32>(nBmpLen + 14);
+    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
 
     sal_uInt32 nOffBits = 14 + aInfoHeader2.nHeaderLen + rgbTableSize;
     m_pImageData[0] = 'B';
@@ -1414,50 +1464,11 @@ void LwpDrawBitmap::Read()
     m_pImageData[12] = static_cast<sal_uInt8>(nOffBits >> 16);
     m_pImageData[13] = static_cast<sal_uInt8>(nOffBits >> 24);
 
-    sal_uInt32 nDIBRemaining;
     sal_uInt8* pPicData = m_pImageData.get();
-    if (aInfoHeader2.nHeaderLen== sizeof(BmpInfoHeader))
-    {
-        m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen);
-        m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 8);
-        m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 16);
-        m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 24);
-        m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth);
-        m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8);
-        m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nHeight);
-        m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8);
-        m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes);
-        m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8);
-        m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount);
-        m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8);
-
-        nDIBRemaining = m_aBmpRec.nFileSize - 26;
-        pPicData += 26*sizeof(sal_uInt8);
-    }
-    else
-    {
-        m_pImageData[14] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen);
-        m_pImageData[15] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 8);
-        m_pImageData[16] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 16);
-        m_pImageData[17] = static_cast<sal_uInt8>(aInfoHeader2.nHeaderLen >> 24);
-        m_pImageData[18] = static_cast<sal_uInt8>(aInfoHeader2.nWidth);
-        m_pImageData[19] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 8);
-        m_pImageData[20] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 16);
-        m_pImageData[21] = static_cast<sal_uInt8>(aInfoHeader2.nWidth >> 24);
-        m_pImageData[22] = static_cast<sal_uInt8>(aInfoHeader2.nHeight);
-        m_pImageData[23] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 8);
-        m_pImageData[24] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 16);
-        m_pImageData[25] = static_cast<sal_uInt8>(aInfoHeader2.nHeight >> 24);
-        m_pImageData[26] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes);
-        m_pImageData[27] = static_cast<sal_uInt8>(aInfoHeader2.nPlanes >> 8);
-        m_pImageData[28] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount);
-        m_pImageData[29] = static_cast<sal_uInt8>(aInfoHeader2.nBitCount >> 8);
-
-        nDIBRemaining = m_aBmpRec.nFileSize - 30;
-        pPicData += 30*sizeof(sal_uInt8);
-    }
 
-    m_pStream->ReadBytes(pPicData, nDIBRemaining);
+    m_pStream->Seek(nBmpPos);
+    if (nBmpLen != m_pStream->ReadBytes(pPicData + 14, nBmpLen))
+        throw BadRead();
 }
 
 OUString LwpDrawBitmap::RegisterStyle()