apply allocation bounds check to EmfExtCreatePen style entries#1113
Conversation
| // If the pen type in the PenStyle field is PS_GEOMETRIC, the lengths are specified in logical | ||
| // units; otherwise, the lengths are specified in device units. | ||
|
|
||
| IOUtils.safelyAllocateCheck(numStyleEntries, HwmfPicture.getMaxRecordLength()); |
There was a problem hiding this comment.
this seems bad - why use use hwmf limit in hemf?
There was a problem hiding this comment.
good catch, that was reaching into the hwmf limit by mistake. now that #1114 has landed the hemf-specific limit i've rebased and switched this to HemfPicture.safelyAllocateCheck, same as the polyline decoder in HemfDraw.
|
I must admit that I'm getting very bored of PRs that apply these limits. I'm thinking of raising a general discussion among the POI volunteers about just giving up on this sort of work. |
metsw24-max
force-pushed
the
extcreatepen-style-entries-bound
branch
from
ecc78a3 to
c5fb2f1
Compare
|
that's fair, and i understand the fatigue. you're right that this mostly swaps one exception for another and the security page is clear that untrusted input isn't supported, so i won't keep pushing more of these. happy to leave the broader call to you and the other volunteers. i've rebased this one to use the new hemf limit from #1114 so at least it's consistent with the rest of the package, but no objection if you'd rather close it. |
metsw24-max
force-pushed
the
extcreatepen-style-entries-bound
branch
from
c5fb2f1 to
f03f4d9
Compare
2 participants
Unbounded dash array in EmfExtCreatePen
NumStyleEntries is read straight from the EMR_EXTCREATEPEN record and used as the length of the dash-pattern array with no cap, so a crafted metafile allocates an arbitrary float array, and a high-bit value goes negative once narrowed by the (int) cast. I added the same safelyAllocateCheck the sibling pen and poly decoders already use, so an oversize count raises RecordFormatException like the rest of the record.