From 8bb5b028b975b9a92d053a784f7940cc6c4fe97f Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Fri, 4 Oct 2019 16:32:07 +0100
Subject: ofz#17823 avoid timeout
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I3658d476873a502adc0cbd8be9a4f6ffd5b62c87
Reviewed-on: https://gerrit.libreoffice.org/80236
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 hwpfilter/source/hwpread.cxx | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'hwpfilter')

diff --git a/hwpfilter/source/hwpread.cxx b/hwpfilter/source/hwpread.cxx
index 86c2dea33494..d734d58f0335 100644
--- a/hwpfilter/source/hwpread.cxx
+++ b/hwpfilter/source/hwpread.cxx
@@ -20,6 +20,7 @@
 #include "precompile.h"
 
 #include <comphelper/newarray.hxx>
+#include <unotools/configmgr.hxx>
 
 #include <assert.h>
 #include <list>
@@ -376,6 +377,10 @@ bool Picture::Read(HWPFile & hwpf)
     hwpf.AddBox(this);
 
     hwpf.Read4b(&follow_block_size, 1);
+
+    //when fuzzing with a max len set, max decompress to 10 times that limit
+    static size_t nMaxAllowedDecompression = [](const char* pEnv) { size_t nRet = pEnv ? std::atoi(pEnv) : 0; return nRet * 10; }(std::getenv("FUZZ_MAX_INPUT_LEN"));
+
     hwpf.Read2b(&dummy1, 1);                      /* Reserved 4 bytes */
     hwpf.Read2b(&dummy2, 1);
 
@@ -455,6 +460,8 @@ bool Picture::Read(HWPFile & hwpf)
            }
            if (nBlock != nReadBlock)
                break;
+           if (nMaxAllowedDecompression && follow.size() > nMaxAllowedDecompression)
+               break;
         }
         follow_block_size = follow.size();
 
@@ -476,6 +483,8 @@ bool Picture::Read(HWPFile & hwpf)
                 ishyper = true;
             }
         }
+        else
+            fprintf(stderr, "arse\n");
     }
 
     if( pictype != 3 )
-- 
cgit