check length, not number of elements

Regression since commit cf0303b0ca57d3f54aa50686d38aaa149c02d034 "oss-fuzz: avoid big allocations". Change-Id: Ib0520513469d1de8c00085d1a86b9885b67873da
author: David Tardon <dtardon@redhat.com> 2017-10-21 16:08:53 +0200
committer: David Tardon <dtardon@redhat.com> 2017-10-21 16:09:25 +0200
commit: a0694f22ddf9ba2fa8a33940ac4761d48b0eef46 (patch)
tree: cb87a9c77bdacad244533d0d528150f5d0ce9c13
parent: 3f9664f3a99c320e44f8c1c5522dee7bf11e0bfa (diff)
1 files changed, 14 insertions, 7 deletions
diff --git a/src/lib/VSDParser.cpp b/src/lib/VSDParser.cpp
index 69d3d56..c6a996e 100644
--- a/src/lib/VSDParser.cpp
+++ b/src/lib/VSDParser.cpp
@@ -946,7 +946,8 @@ void libvisio::VSDParser::readGeomList(librevenge::RVNGInputStream *input)
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
     std::vector<unsigned> geometryOrder;
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     geometryOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
       geometryOrder.push_back(readU32(input));
@@ -971,7 +972,8 @@ void libvisio::VSDParser::readCharList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> characterOrder;
     characterOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -992,7 +994,8 @@ void libvisio::VSDParser::readParaList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> paragraphOrder;
     paragraphOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -1017,7 +1020,8 @@ void libvisio::VSDParser::readTabsDataList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> tabsOrder;
     tabsOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -1036,7 +1040,8 @@ void libvisio::VSDParser::readLayerList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, 4, input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> layerOrder;
     layerOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -1210,7 +1215,8 @@ void libvisio::VSDParser::readShapeList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, sizeof(uint32_t), input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> shapeOrder;
     shapeOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
@@ -1722,7 +1728,8 @@ void libvisio::VSDParser::readFieldList(librevenge::RVNGInputStream *input)
     uint32_t subHeaderLength = readU32(input);
     uint32_t childrenListLength = readU32(input);
     input->seek(subHeaderLength, librevenge::RVNG_SEEK_CUR);
-    sanitizeListLength(childrenListLength, sizeof(uint32_t), input);
+    if (childrenListLength > getRemainingLength(input))
+      childrenListLength = getRemainingLength(input);
     std::vector<unsigned> fieldOrder;
     fieldOrder.reserve(childrenListLength / sizeof(uint32_t));
     for (unsigned i = 0; i < (childrenListLength / sizeof(uint32_t)); i++)
author	David Tardon <dtardon@redhat.com>	2017-10-21 16:08:53 +0200
committer	David Tardon <dtardon@redhat.com>	2017-10-21 16:09:25 +0200
commit	a0694f22ddf9ba2fa8a33940ac4761d48b0eef46 (patch)
tree	cb87a9c77bdacad244533d0d528150f5d0ce9c13
parent	3f9664f3a99c320e44f8c1c5522dee7bf11e0bfa (diff)