WMF record size < 3 is clearly broken

...so we should not attempt to (mis-)interpret such broken input. Change-Id: I97f4f46fdfc0dfe6f9aff42917d23634b844c7f0

WMF record size < 3 is clearly broken
...so we should not attempt to (mis-)interpret such broken input. Change-Id: I97f4f46fdfc0dfe6f9aff42917d23634b844c7f0
90f0af7a · Stephan Bergmann · c7aed931 · 90f0af7a · 90f0af7a · 90f0af7a
Kaydet (Commit) 90f0af7a authored Haz 05, 2014 tarafından Stephan Bergmann
3 changed files
--- a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1238-1.wmf
+++ b/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1238-1.wmf
--- a/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1245-1.wmf
+++ b/vcl/qa/cppunit/graphicfilter/data/wmf/pass/CVE-2007-1245-1.wmf
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -1377,13 +1377,19 @@ bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pStm )
        {
            pStm->ReadUInt32( nRSize ).ReadUInt16( nFunction );
-            if( pStm->GetError() || ( nRSize < 3 ) || ( nRSize==3 && nFunction==0 ) || pStm->IsEof() )
+            if( pStm->GetError() )
            {
-                if( pStm->IsEof() )
+                bRet = false;
+                break;
+            }
+            else if ( nRSize==3 && nFunction==0 )
+            {
+                break;
+            }
+            else if ( nRSize < 3 || pStm->IsEof() )
            {
                pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
                bRet = false;
-                }
                break;
            }
            switch( nFunction )