Commits

sj  committed 8719981

os145: #b7001886# fixing small ppt import problem, improving png reader

  • Participants
  • Parent commits b66d00e

Comments (0)

Files changed (2)

File filter/source/msfilter/svdfppt.cxx

 
 	if ( bOk )
 	{
-		// PersistPtrs lesen (alle)
-        nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1;	// 1 mehr, damit ich immer direkt indizieren kann
-        pPersistPtr = new UINT32[ nPersistPtrAnz ];				// (die fangen naemlich eigentlich bei 1 an)
-		if ( !pPersistPtr )
+        nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1;
+		if ( ( nPersistPtrAnz >> 2 ) > nStreamLen )		// sj: at least nPersistPtrAnz is not allowed to be greater than filesize
+			bOk = FALSE;								// (it should not be greater than the PPT_PST_PersistPtrIncrementalBlock, but
+														// we are reading this block later, so we do not have access yet)
+
+		if ( bOk && ( nPersistPtrAnz < ( SAL_MAX_UINT32 / sizeof( UINT32 ) ) ) )
+			pPersistPtr = new (std::nothrow) UINT32[ nPersistPtrAnz ];
+		if ( bOk && !pPersistPtr )
 			bOk = FALSE;
 		else
 		{
             rIn >> nCharCount
                 >> aParaPropSet.pParaSet->mnDepth;	// Einruecktiefe
 
-			aParaPropSet.pParaSet->mnDepth = 
-				std::min(sal_uInt16(9),
+			aParaPropSet.pParaSet->mnDepth =		// taking care of about using not more than 9 outliner levels
+				std::min(sal_uInt16(8),
 					aParaPropSet.pParaSet->mnDepth);
 
             nCharCount--;

File vcl/source/gdi/pngread.cxx

 
 			case PNGCHUNK_IDAT :
 			{
-				if ( !mbIDAT )		// the gfx is finished, but there may be left a zlibCRC of about 4Bytes
+				if ( !mpInflateInBuf )	// taking care that the header has properly been read
+					mbStatus = FALSE;
+				else if ( !mbIDAT )		// the gfx is finished, but there may be left a zlibCRC of about 4Bytes
 					ImplReadIDAT();
 			}
 			break;
 	mbIDAT = mbAlphaChannel = mbTransparent = FALSE;
 	mbGrayScale = mbRGBTriple = FALSE;
 	mnTargetDepth = mnPngDepth;
-	mnScansize = ( ( maOrigSize.Width() * mnPngDepth ) + 7 ) >> 3;
+	sal_uInt64 nScansize64 = ( ( static_cast< sal_uInt64 >( maOrigSize.Width() ) * mnPngDepth ) + 7 ) >> 3;
 
 	// valid color types are 0,2,3,4 & 6
 	switch ( mnColorType )
 		case 2 :	// each pixel is an RGB triple
 		{
 			mbRGBTriple = TRUE;
-			mnScansize *= 3;
+			nScansize64 *= 3;
 			switch ( mnPngDepth )
 			{
 				case 16 :			// we have to reduce the bitmap
 
 		case 4 :	// each pixel is a grayscale sample followed by an alpha sample
 		{
-			mnScansize *= 2;
+			nScansize64 *= 2;
 			mbAlphaChannel = TRUE;
 			switch ( mnPngDepth )
 			{
 		case 6 :	// each pixel is an RGB triple followed by an alpha sample
 		{
 			mbRGBTriple = TRUE;
-			mnScansize *= 4;
+			nScansize64 *= 4;
 			mbAlphaChannel = TRUE;
 			switch (mnPngDepth )
 			{
 			return FALSE;
 	}
 
-    mnBPP = mnScansize / maOrigSize.Width();
+    mnBPP = static_cast< sal_uInt32 >( nScansize64 / maOrigSize.Width() );
     if ( !mnBPP )
         mnBPP = 1;
 
-    mnScansize++;       // each scanline includes one filterbyte
+    nScansize64++;       // each scanline includes one filterbyte
+
+	if ( nScansize64 > SAL_MAX_UINT32 )
+		return FALSE;
+
+	mnScansize = static_cast< sal_uInt32 >( nScansize64 );
 
     // TODO: switch between both scanlines instead of copying
-    mpInflateInBuf = new BYTE[ mnScansize ];
+	mpInflateInBuf = new (std::nothrow) BYTE[ mnScansize ];
     mpScanCurrent = mpInflateInBuf;
-    mpScanPrior = new BYTE[ mnScansize ];
+	mpScanPrior = new (std::nothrow) BYTE[ mnScansize ];
+
+	if ( !mpInflateInBuf || !mpScanPrior )
+		return FALSE;
 
     // calculate target size from original size and the preview hint
     if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() )