From 7607a7e45a1da570dda0a4b96c08405086a647b6 Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Sun, 16 Jan 2022 14:30:15 +0000 Subject: ofz: Use-of-uninitialized-value Change-Id: Ib1c3b306573dda073f6ff3d7d0cc17aef39c0a0e Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128436 Tested-by: Jenkins Reviewed-by: Michael Stahl --- lotuswordpro/source/filter/lwpdrawobj.cxx | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx index 6d6be3748b49..c684f7809d94 100644 --- a/lotuswordpro/source/filter/lwpdrawobj.cxx +++ b/lotuswordpro/source/filter/lwpdrawobj.cxx @@ -497,7 +497,7 @@ void LwpDrawPolyLine::Read() m_pStream->ReadUChar( m_aPolyLineRec.aPenColor.unused ); m_pStream->ReadUInt16( m_aPolyLineRec.nNumPoints ); - if (m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4) + if (!m_pStream->good() || m_aPolyLineRec.nNumPoints > m_pStream->remainingSize() / 4) throw BadRead(); m_pVector.reset( new SdwPoint[m_aPolyLineRec.nNumPoints] ); @@ -577,7 +577,7 @@ void LwpDrawPolygon::Read() ReadClosedObjStyle(); m_pStream->ReadUInt16( m_nNumPoints ); - if (m_nNumPoints > m_pStream->remainingSize() / 4) + if (!m_pStream->good() || m_nNumPoints > m_pStream->remainingSize() / 4) throw BadRead(); m_pVector.reset( new SdwPoint[m_nNumPoints] ); @@ -1042,6 +1042,9 @@ void LwpDrawTextBox::Read() m_pStream->ReadInt16( m_aTextRec.nTextRotation ); m_pStream->ReadInt16( m_aTextRec.nTextExtraSpacing ); + if (!m_pStream->good()) + throw BadRead(); + // some draw files in version 1.2 have an extra byte following '\0'. // can't rely on that, so read in the whole string into memory. @@ -1187,17 +1190,17 @@ void LwpDrawTextArt::Read() m_pStream->ReadInt16( m_aTextArtRec.nRotation ); sal_uInt16 nPointNumber; - sal_Int16 nX, nY; m_pStream->ReadUInt16( nPointNumber ); size_t nPoints = nPointNumber*3+1; - if (nPoints > m_pStream->remainingSize() / 4) + if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4) throw BadRead(); m_aTextArtRec.aPath[0].n = nPointNumber; m_aTextArtRec.aPath[0].aPts.resize(nPoints); for (size_t nPt = 0; nPt < nPoints; ++nPt) { + sal_Int16 nX, nY; m_pStream->ReadInt16( nX ); m_pStream->ReadInt16( nY ); m_aTextArtRec.aPath[0].aPts[nPt].x = nX; @@ -1207,13 +1210,14 @@ void LwpDrawTextArt::Read() m_pStream->ReadUInt16( nPointNumber ); nPoints = nPointNumber*3+1; - if (nPoints > m_pStream->remainingSize() / 4) + if (!m_pStream->good() || nPoints > m_pStream->remainingSize() / 4) throw BadRead(); m_aTextArtRec.aPath[1].n = nPointNumber; m_aTextArtRec.aPath[1].aPts.resize(nPoints); for (size_t nPt = 0; nPt < nPoints; ++nPt) { + sal_Int16 nX, nY; m_pStream->ReadInt16( nX ); m_pStream->ReadInt16( nY ); m_aTextArtRec.aPath[1].aPts[nPt].x = nX; @@ -1242,7 +1246,7 @@ void LwpDrawTextArt::Read() - (m_aTextArtRec.aPath[1].n*3 + 1)*4; - if (m_aTextArtRec.nTextLen > m_pStream->remainingSize()) + if (!m_pStream->good() || m_aTextArtRec.nTextLen > m_pStream->remainingSize()) throw BadRead(); m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen]; @@ -1380,7 +1384,7 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); - if (!IsValid(aInfoHeader2)) + if (!m_pStream->good() || !IsValid(aInfoHeader2)) throw BadRead(); N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; @@ -1400,7 +1404,7 @@ void LwpDrawBitmap::Read() m_pStream->ReadUInt16( aInfoHeader2.nPlanes ); m_pStream->ReadUInt16( aInfoHeader2.nBitCount ); - if (!IsValid(aInfoHeader2)) + if (!m_pStream->good() || !IsValid(aInfoHeader2)) throw BadRead(); N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount; -- cgit