Skip to content
Permalink
Browse files

ofz#372 check if ImplSplit succeeded

Change-Id: I1e34295fe3ee5f77e787f583616d52fa92a0eca4
  • Loading branch information...
Caolán McNamara
Caolán McNamara committed Jan 2, 2017
1 parent 2cdaab4 commit 62a97e6a561ce65e88d4c537a1b82c336f012722
Showing with 10 additions and 5 deletions.
  1. +1 −1 tools/inc/poly.h
  2. +9 −4 tools/source/generic/poly.cxx
@@ -43,7 +43,7 @@ class SAL_WARN_UNUSED ImplPolygon : public ImplPolygonData

void ImplSetSize( sal_uInt16 nSize, bool bResize = true );
void ImplCreateFlagArray();
void ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon const * pInitPoly = nullptr );
bool ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon const * pInitPoly = nullptr );
};

#define MAX_POLYGONS ((sal_uInt16)0x3FF0)
@@ -212,11 +212,14 @@ void ImplPolygon::ImplSetSize( sal_uInt16 nNewSize, bool bResize )
mnPoints = nNewSize;
}

void ImplPolygon::ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon const * pInitPoly )
bool ImplPolygon::ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon const * pInitPoly )
{
//Can't fit this in :-(, throw ?
if (mnPoints + nSpace > USHRT_MAX)
return;
{
SAL_WARN("tools", "Polygon needs " << mnPoints + nSpace << " points, but only " << USHRT_MAX << " possible");
return false;
}

const sal_uInt16 nNewSize = mnPoints + nSpace;
const std::size_t nSpaceSize = static_cast<std::size_t>(nSpace) * sizeof(Point);
@@ -272,6 +275,8 @@ void ImplPolygon::ImplSplit( sal_uInt16 nPos, sal_uInt16 nSpace, ImplPolygon con
mpPointAry = pNewAry;
mnPoints = nNewSize;
}

return true;
}

void ImplPolygon::ImplCreateFlagArray()
@@ -1472,8 +1477,8 @@ void Polygon::Insert( sal_uInt16 nPos, const Point& rPt )
if( nPos >= mpImplPolygon->mnPoints )
nPos = mpImplPolygon->mnPoints;

mpImplPolygon->ImplSplit( nPos, 1 );
mpImplPolygon->mpPointAry[ nPos ] = rPt;
if (mpImplPolygon->ImplSplit(nPos, 1))
mpImplPolygon->mpPointAry[ nPos ] = rPt;
}

void Polygon::Insert( sal_uInt16 nPos, const tools::Polygon& rPoly )

1 comment on commit 62a97e6

@carnil

This comment has been minimized.

Copy link

commented on 62a97e6 Apr 14, 2017

The issue fixed by this commit has been assigned CVE-2017-7870

Please sign in to comment.
You can’t perform that action at this time.