Commits

Anonymous committed cb43d39 Merge

CWS-TOOLING: integrate CWS os145

Comments (0)

Files changed (6)

drawinglayer/source/primitive2d/metafileprimitive2d.cxx

             if(nPushFlags)
             {
                 OSL_ENSURE(maPropertyHolders.size(), "PropertyHolders: PUSH with no property holders (!)");
-                PropertyHolder* pNew = new PropertyHolder(*maPropertyHolders.back());
-                pNew->setPushFlags(nPushFlags);
-                maPropertyHolders.push_back(pNew);
+				if ( !maPropertyHolders.empty() )
+				{
+					PropertyHolder* pNew = new PropertyHolder(*maPropertyHolders.back());
+					pNew->setPushFlags(nPushFlags);
+					maPropertyHolders.push_back(pNew);
+				}
             }
         }
 
 
         PropertyHolder& Current()
         {
+			static PropertyHolder aDummy;
             OSL_ENSURE(maPropertyHolders.size(), "PropertyHolders: CURRENT with no property holders (!)");
-            return *maPropertyHolders.back();
+			return maPropertyHolders.empty() ? aDummy : *maPropertyHolders.back();
         }
 
         ~PropertyHolders()

filter/source/msfilter/svdfppt.cxx

 
 	if ( bOk )
 	{
-		// PersistPtrs lesen (alle)
-        nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1;	// 1 mehr, damit ich immer direkt indizieren kann
-        pPersistPtr = new UINT32[ nPersistPtrAnz ];				// (die fangen naemlich eigentlich bei 1 an)
+        nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1;
+		if ( ( nPersistPtrAnz >> 2 ) > nStreamLen )		// sj: at least nPersistPtrAnz is not allowed to be greater than filesize
+			bOk = FALSE;								// (it should not be greater than the PPT_PST_PersistPtrIncrementalBlock, but
+														// we are reading this block later, so we do not have access yet)
+
+		if ( bOk && ( nPersistPtrAnz < ( SAL_MAX_UINT32 / sizeof( UINT32 ) ) ) )
+			pPersistPtr = new (std::nothrow) UINT32[ nPersistPtrAnz ];
 		if ( !pPersistPtr )
 			bOk = FALSE;
-		else
+		if ( bOk )
 		{
 			memset( pPersistPtr, 0x00, nPersistPtrAnz * 4 );
 
             rIn >> nCharCount
                 >> aParaPropSet.pParaSet->mnDepth;	// Einruecktiefe
 
-			aParaPropSet.pParaSet->mnDepth = 
-				std::min(sal_uInt16(9),
+			aParaPropSet.pParaSet->mnDepth =		// taking care of about using not more than 9 outliner levels
+				std::min(sal_uInt16(8),
 					aParaPropSet.pParaSet->mnDepth);
 
             nCharCount--;

sw/source/filter/ww8/ww8par.cxx

         }
         SwWW8ImplReader* pRdr = new SwWW8ImplReader(nVersion, pStg, pIn, rDoc,
             rBaseURL, bNew);
-        nRet = pRdr->LoadDoc( rPam );
+        try
+        {
+            nRet = pRdr->LoadDoc( rPam );
+        }
+        catch( const std::exception& )
+        {
+            nRet = ERR_WW8_NO_WW8_FILE_ERR;
+        }
         delete pRdr;
 
         if( refStrm.Is() )

sw/source/filter/ww8/ww8scan.cxx

 
 const BYTE* WW8SprmIter::operator ++( int )
 {
-    if (nRemLen > 0)
-    {
-        pSprms += nAktSize;
-        nRemLen -= nAktSize;
-        UpdateMyMembers();
+    if (nRemLen > 0 )
+    {
+        if( nRemLen >= nAktSize )
+        {
+            pSprms += nAktSize;
+            nRemLen -= nAktSize;
+            UpdateMyMembers();
+        }
+        else
+        {
+            throw( ::std::exception() );
+        }
     }
     return pSprms;
 }
         Otherwise our cool fastsave algorithm can be brought to bear on the
         problem.
         */
+        if( !pPieceIter )
+            return;
         ULONG nOldPos = pPieceIter->GetIdx();
         bool bOk = pPieceIter->SeekPos(nOrigCp);
         pPieceIter->SetIdx( nOldPos );

vcl/source/gdi/metaact.cxx

 	rIStm	>> mnLen;
 	rIStm	>> nAryLen;
 
+	if ( mnIndex > mnLen )
+	{
+		mnIndex = 0;
+		mpDXAry = 0;
+		return;
+	}
+
 	if( nAryLen )
 	{
         // #i9762#, #106172# Ensure that DX array is at least mnLen entries long
-        const ULONG nIntAryLen( Max(nAryLen, static_cast<sal_uInt32>(mnLen)) );
-		mpDXAry = new sal_Int32[ nIntAryLen ];
-        
-        ULONG i;
-		for( i = 0UL; i < nAryLen; i++ )
-			rIStm >> mpDXAry[ i ];
-
-        // #106172# setup remainder
-		for( ; i < nIntAryLen; i++ )
-            mpDXAry[ i ] = 0;
+		if ( mnLen >= nAryLen )
+		{
+			mpDXAry = new (std::nothrow)sal_Int32[ mnLen ];
+			if ( mpDXAry )
+			{
+	       		ULONG i;
+				for( i = 0UL; i < nAryLen; i++ )
+					rIStm >> mpDXAry[ i ];
+
+				// #106172# setup remainder
+				for( ; i < mnLen; i++ )
+					mpDXAry[ i ] = 0;
+			}
+		}
+		else
+		{
+			mpDXAry = NULL;
+			return;
+		}
 	}
 	else
 		mpDXAry = NULL;

vcl/source/gdi/pngread.cxx

 
 			case PNGCHUNK_IDAT :
 			{
-				if ( !mbIDAT )		// the gfx is finished, but there may be left a zlibCRC of about 4Bytes
+				if ( !mpInflateInBuf )	// taking care that the header has properly been read
+					mbStatus = FALSE;
+				else if ( !mbIDAT )		// the gfx is finished, but there may be left a zlibCRC of about 4Bytes
 					ImplReadIDAT();
 			}
 			break;
 	mbIDAT = mbAlphaChannel = mbTransparent = FALSE;
 	mbGrayScale = mbRGBTriple = FALSE;
 	mnTargetDepth = mnPngDepth;
-	mnScansize = ( ( maOrigSize.Width() * mnPngDepth ) + 7 ) >> 3;
+	sal_uInt64 nScansize64 = ( ( static_cast< sal_uInt64 >( maOrigSize.Width() ) * mnPngDepth ) + 7 ) >> 3;
 
 	// valid color types are 0,2,3,4 & 6
 	switch ( mnColorType )
 		case 2 :	// each pixel is an RGB triple
 		{
 			mbRGBTriple = TRUE;
-			mnScansize *= 3;
+			nScansize64 *= 3;
 			switch ( mnPngDepth )
 			{
 				case 16 :			// we have to reduce the bitmap
 
 		case 4 :	// each pixel is a grayscale sample followed by an alpha sample
 		{
-			mnScansize *= 2;
+			nScansize64 *= 2;
 			mbAlphaChannel = TRUE;
 			switch ( mnPngDepth )
 			{
 		case 6 :	// each pixel is an RGB triple followed by an alpha sample
 		{
 			mbRGBTriple = TRUE;
-			mnScansize *= 4;
+			nScansize64 *= 4;
 			mbAlphaChannel = TRUE;
 			switch (mnPngDepth )
 			{
 			return FALSE;
 	}
 
-    mnBPP = mnScansize / maOrigSize.Width();
+    mnBPP = static_cast< sal_uInt32 >( nScansize64 / maOrigSize.Width() );
     if ( !mnBPP )
         mnBPP = 1;
 
-    mnScansize++;       // each scanline includes one filterbyte
+    nScansize64++;       // each scanline includes one filterbyte
+
+	if ( nScansize64 > SAL_MAX_UINT32 )
+		return FALSE;
+
+	mnScansize = static_cast< sal_uInt32 >( nScansize64 );
 
     // TODO: switch between both scanlines instead of copying
-    mpInflateInBuf = new BYTE[ mnScansize ];
+	mpInflateInBuf = new (std::nothrow) BYTE[ mnScansize ];
     mpScanCurrent = mpInflateInBuf;
-    mpScanPrior = new BYTE[ mnScansize ];
+	mpScanPrior = new (std::nothrow) BYTE[ mnScansize ];
+
+	if ( !mpInflateInBuf || !mpScanPrior )
+		return FALSE;
 
     // calculate target size from original size and the preview hint
     if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() )