From 87b129459bff648dd30fc238deb2d0b64468a83e Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 13 Jan 2022 16:57:48 +0000
Subject: ofz#43577 valid reclen must be >= 20
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I454bff4acfcd85701a7f094a8bd76898825e9ce2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128388
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 444477a07bcaf59181dbbc719b913566091deadc)

ofz: Use-of-uninitialized-value

Change-Id: I6b768b80d972c5379005efecfb803463ca648b4b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/128644
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 7b37a1a5144a3a4c8b0803b7e2da81e9e108bf66)

ofz: Undefined-Shift

Change-Id: Ib935359071ef9e390aa3d6c9713ed48241ad18e6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129066
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit e863b90a0e5fc90c3b824e4b0012f9389b87a3ac)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129183
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 7c8b41bc322720dc9434fbef1f10a6740913165e)
(cherry picked from commit afeb3af6b990e59e4e81f74d0a68d479fdfcc862)
---
 lotuswordpro/source/filter/lwpdrawobj.cxx | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'lotuswordpro')

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx
index ae0fc5bb9c05..ec617fb24346 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1373,14 +1373,21 @@ void LwpDrawBitmap::Read()
     m_pStream->ReadUInt16( m_aBmpRec.nTranslation );
     m_pStream->ReadUInt16( m_aBmpRec.nRotation );
 
+    if (m_aObjHeader.nRecLen < 20)
+        throw BadRead();
+
     // 20 == length of draw-specific fields.
     // 14 == length of bmp file header.
     m_aBmpRec.nFileSize = m_aObjHeader.nRecLen - 20 + 14;
-    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
 
     BmpInfoHeader2 aInfoHeader2;
     m_pStream->ReadUInt32( aInfoHeader2.nHeaderLen );
 
+    if (!m_pStream->good())
+        throw BadRead();
+
+    m_pImageData.reset( new sal_uInt8 [m_aBmpRec.nFileSize] );
+
     sal_uInt32 N;
     sal_uInt32 rgbTableSize;
 
@@ -1395,7 +1402,7 @@ void LwpDrawBitmap::Read()
             throw BadRead();
 
         N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
-        if (N == 24)
+        if (N >= 16)
         {
             rgbTableSize = 0;
         }
@@ -1415,7 +1422,7 @@ void LwpDrawBitmap::Read()
             throw BadRead();
 
         N = aInfoHeader2.nPlanes * aInfoHeader2.nBitCount;
-        if (N == 24)
+        if (N >= 16)
         {
             rgbTableSize = 0;
         }
-- 
cgit