ofz#14469 null deref

since... commit af84fc9d Date: Tue Apr 23 15:48:41 2019 +0200 lazy image loading shouldn't read the entire .xls file (tdf#124828) nLength is just an unchecked value in the dff stream, it might not be sane so limit it to the max len of the stream Change-Id: Ia8a2830478952afe1317b5cd795f35059d9b380a Reviewed-on: https://gerrit.libreoffice.org/71413 Tested-by: Jenkins Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>

ofz#14469 null deref
since... commit af84fc9d Date: Tue Apr 23 15:48:41 2019 +0200 lazy image loading shouldn't read the entire .xls file (tdf#124828) nLength is just an unchecked value in the dff stream, it might not be sane so limit it to the max len of the stream Change-Id: Ia8a2830478952afe1317b5cd795f35059d9b380a Reviewed-on: https://gerrit.libreoffice.org/71413 Tested-by: Jenkins Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
dc3752ef · Caolán McNamara · Michael Stahl · b97495c5 · dc3752ef
Kaydet (Commit) dc3752ef authored Nis 27, 2019 tarafından Caolán McNamara Kaydeden (comit) Michael Stahl Nis 29, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

graphicfilter.cxx vcl/source/filter/graphicfilter.cxx +3 -1

No files found.
--- a/vcl/source/filter/graphicfilter.cxx
+++ b/vcl/source/filter/graphicfilter.cxx
@@ -1443,7 +1443,9 @@ Graphic GraphicFilter::ImportUnloadedGraphic(SvStream& rIStream, sal_uInt64 size
    ErrCode nStatus = ImpTestOrFindFormat("", rIStream, nFormat);
    rIStream.Seek(nStreamBegin);
-    const sal_uInt32 nStreamLength( sizeLimit ? sizeLimit : rIStream.remainingSize());
+    sal_uInt32 nStreamLength(rIStream.remainingSize());
+    if (sizeLimit && sizeLimit < nStreamLength)
+        nStreamLength = sizeLimit;
    OUString aFilterName = pConfig->GetImportFilterName(nFormat);
    OUString aExternalFilterName = pConfig->GetExternalFilterName(nFormat, false);