From 614d84a00890fae37f89b39c7d3e2e02508ab5c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Mon, 26 Jan 2015 11:26:41 +0000 Subject: [PATCH 2/4] coverity#1266485 Untrusted value as argument Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c (cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171) min legal size here is > 4 (cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3) Change-Id: I9f68d000b32623db4d949d13284043630f5689f4 (cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab) Reviewed-on: https://gerrit.libreoffice.org/16983 Reviewed-by: David Tardon Tested-by: David Tardon (cherry picked from commit 81d1123ac317d9dad9872a9d2feda8cc6bd32492) --- vcl/source/gdi/jobset.cxx | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx index ec1f44f..c67255e 100644 --- a/vcl/source/gdi/jobset.cxx +++ b/vcl/source/gdi/jobset.cxx @@ -218,19 +218,24 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup ) DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" ); { - sal_Size nFirstPos = rIStream.Tell(); - sal_uInt16 nLen = 0; rIStream.ReadUInt16( nLen ); - if ( !nLen ) + if (nLen <= 4) return rIStream; sal_uInt16 nSystem = 0; rIStream.ReadUInt16( nSystem ); - - boost::scoped_array pTempBuf(new char[nLen]); - rIStream.Read( pTempBuf.get(), nLen - sizeof( nLen ) - sizeof( nSystem ) ); - if ( nLen >= sizeof(ImplOldJobSetupData)+4 ) + const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem); + if (nRead > rIStream.remainingSize()) + { + SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() << + " max possible entries, but " << nRead << " claimed, truncating"); + return rIStream; + } + sal_Size nFirstPos = rIStream.Tell(); + boost::scoped_array pTempBuf(new char[nRead]); + rIStream.Read(pTempBuf.get(), nRead); + if (nRead >= sizeof(ImplOldJobSetupData)) { ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get(); if ( rJobSetup.mpData ) @@ -255,7 +260,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup ) nSystem == JOBSET_FILE605_SYSTEM ) { Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData )); - sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize ); + sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize ); pJobData->mnSystem = SVBT16ToShort( pOldJobData->nSystem ); pJobData->mnDriverDataLen = SVBT32ToUInt32( pOldJobData->nDriverDataLen ); pJobData->meOrientation = (Orientation)SVBT16ToShort( pOldJobData->nOrientation ); @@ -272,8 +277,8 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup ) } if( nSystem == JOBSET_FILE605_SYSTEM ) { - rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen ); - while( rIStream.Tell() < nFirstPos + nLen ) + rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen ); + while( rIStream.Tell() < nFirstPos + nRead ) { OUString aKey = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8); OUString aValue = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8); @@ -291,9 +296,9 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup ) else pJobData->maValueMap[ aKey ] = aValue; } - DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" ); + DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" ); // ensure correct stream position - rIStream.Seek( nFirstPos + nLen ); + rIStream.Seek(nFirstPos + nRead); } } } -- 2.5.0