From ec0d1440cf07008a220708535848567bcbb233ea Mon Sep 17 00:00:00 2001
From: Michael Stahl <mstahl@redhat.com>
Date: Mon, 25 Feb 2013 13:15:19 +0100
Subject: fdo#59405: cppcanvas: fix infinite loop in processEMFPlus

This can be observed when inserting the bugdoc from fdo#59405.
Apparently the "size" and "length" do not agree; ensure that the
"length" does not underflow.

Change-Id: Idfc68919859b8284c724831de21208e4392af328
---
 cppcanvas/source/mtfrenderer/emfplus.cxx | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'cppcanvas')

diff --git a/cppcanvas/source/mtfrenderer/emfplus.cxx b/cppcanvas/source/mtfrenderer/emfplus.cxx
index f1b0eff12282..0c9db41dd843 100644
--- a/cppcanvas/source/mtfrenderer/emfplus.cxx
+++ b/cppcanvas/source/mtfrenderer/emfplus.cxx
@@ -1763,7 +1763,16 @@ namespace cppcanvas
 
                 rMF.Seek (next);
 
-                length -= size;
+                if (size <= length)
+                {
+                    length -= size;
+                }
+                else
+                {
+                    SAL_WARN("cppcanvas", "ImplRenderer::processEMFPlus: "
+                            "size " << size << " > length " << length);
+                    length = 0;
+                }
             }
         }
     }
-- 
cgit