|
 |
62140f |
From 614d84a00890fae37f89b39c7d3e2e02508ab5c6 Mon Sep 17 00:00:00 2001
|
|
|
62140f |
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
|
|
|
62140f |
Date: Mon, 26 Jan 2015 11:26:41 +0000
|
|
|
62140f |
Subject: [PATCH 2/4] coverity#1266485 Untrusted value as argument
|
|
|
62140f |
|
|
|
62140f |
Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c
|
|
|
62140f |
(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171)
|
|
|
62140f |
|
|
|
62140f |
min legal size here is > 4
|
|
|
62140f |
|
|
|
62140f |
(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3)
|
|
|
62140f |
|
|
|
62140f |
Change-Id: I9f68d000b32623db4d949d13284043630f5689f4
|
|
|
62140f |
(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab)
|
|
|
62140f |
Reviewed-on: https://gerrit.libreoffice.org/16983
|
|
|
62140f |
Reviewed-by: David Tardon <dtardon@redhat.com>
|
|
|
62140f |
Tested-by: David Tardon <dtardon@redhat.com>
|
|
|
62140f |
(cherry picked from commit 81d1123ac317d9dad9872a9d2feda8cc6bd32492)
|
|
|
62140f |
---
|
|
|
62140f |
vcl/source/gdi/jobset.cxx | 29 +++++++++++++++++------------
|
|
|
62140f |
1 file changed, 17 insertions(+), 12 deletions(-)
|
|
|
62140f |
|
|
|
62140f |
diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
|
|
|
62140f |
index ec1f44f..c67255e 100644
|
|
|
62140f |
--- a/vcl/source/gdi/jobset.cxx
|
|
|
62140f |
+++ b/vcl/source/gdi/jobset.cxx
|
|
|
62140f |
@@ -218,19 +218,24 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
|
|
|
62140f |
DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" );
|
|
|
62140f |
|
|
|
62140f |
{
|
|
|
62140f |
- sal_Size nFirstPos = rIStream.Tell();
|
|
|
62140f |
-
|
|
|
62140f |
sal_uInt16 nLen = 0;
|
|
|
62140f |
rIStream.ReadUInt16( nLen );
|
|
|
62140f |
- if ( !nLen )
|
|
|
62140f |
+ if (nLen <= 4)
|
|
|
62140f |
return rIStream;
|
|
|
62140f |
|
|
|
62140f |
sal_uInt16 nSystem = 0;
|
|
|
62140f |
rIStream.ReadUInt16( nSystem );
|
|
|
62140f |
-
|
|
|
62140f |
- boost::scoped_array<char> pTempBuf(new char[nLen]);
|
|
|
62140f |
- rIStream.Read( pTempBuf.get(), nLen - sizeof( nLen ) - sizeof( nSystem ) );
|
|
|
62140f |
- if ( nLen >= sizeof(ImplOldJobSetupData)+4 )
|
|
|
62140f |
+ const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
|
|
|
62140f |
+ if (nRead > rIStream.remainingSize())
|
|
|
62140f |
+ {
|
|
|
62140f |
+ SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
|
|
|
62140f |
+ " max possible entries, but " << nRead << " claimed, truncating");
|
|
|
62140f |
+ return rIStream;
|
|
|
62140f |
+ }
|
|
|
62140f |
+ sal_Size nFirstPos = rIStream.Tell();
|
|
|
62140f |
+ boost::scoped_array<char> pTempBuf(new char[nRead]);
|
|
|
62140f |
+ rIStream.Read(pTempBuf.get(), nRead);
|
|
|
62140f |
+ if (nRead >= sizeof(ImplOldJobSetupData))
|
|
|
62140f |
{
|
|
|
62140f |
ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get();
|
|
|
62140f |
if ( rJobSetup.mpData )
|
|
|
62140f |
@@ -255,7 +260,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
|
|
|
62140f |
nSystem == JOBSET_FILE605_SYSTEM )
|
|
|
62140f |
{
|
|
|
62140f |
Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData ));
|
|
|
62140f |
- sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize );
|
|
|
62140f |
+ sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize );
|
|
|
62140f |
pJobData->mnSystem = SVBT16ToShort( pOldJobData->nSystem );
|
|
|
62140f |
pJobData->mnDriverDataLen = SVBT32ToUInt32( pOldJobData->nDriverDataLen );
|
|
|
62140f |
pJobData->meOrientation = (Orientation)SVBT16ToShort( pOldJobData->nOrientation );
|
|
|
62140f |
@@ -272,8 +277,8 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
|
|
|
62140f |
}
|
|
|
62140f |
if( nSystem == JOBSET_FILE605_SYSTEM )
|
|
|
62140f |
{
|
|
|
62140f |
- rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
|
|
|
62140f |
- while( rIStream.Tell() < nFirstPos + nLen )
|
|
|
62140f |
+ rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
|
|
|
62140f |
+ while( rIStream.Tell() < nFirstPos + nRead )
|
|
|
62140f |
{
|
|
|
62140f |
OUString aKey = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8);
|
|
|
62140f |
OUString aValue = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8);
|
|
|
62140f |
@@ -291,9 +296,9 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
|
|
|
62140f |
else
|
|
|
62140f |
pJobData->maValueMap[ aKey ] = aValue;
|
|
|
62140f |
}
|
|
|
62140f |
- DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" );
|
|
|
62140f |
+ DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" );
|
|
|
62140f |
// ensure correct stream position
|
|
|
62140f |
- rIStream.Seek( nFirstPos + nLen );
|
|
|
62140f |
+ rIStream.Seek(nFirstPos + nRead);
|
|
|
62140f |
}
|
|
|
62140f |
}
|
|
|
62140f |
}
|
|
|
62140f |
--
|
|
|
62140f |
2.5.0
|
|
|
62140f |
|