From 73e3203529affb67fbf83f8867a8bae13170d734 Mon Sep 17 00:00:00 2001
From: Federico Montesino Pouzols <federico.montesino-pouzols@stfc.ac.uk>
Date: Tue, 13 Oct 2015 15:48:03 +0100
Subject: [PATCH] fix integer overflow before mem allocation, IDs 1075711-14,
 re #13951

---
 MantidPlot/src/origin/OPJFile.cpp | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/MantidPlot/src/origin/OPJFile.cpp b/MantidPlot/src/origin/OPJFile.cpp
index c0eaf257564..73c397f65f2 100644
--- a/MantidPlot/src/origin/OPJFile.cpp
+++ b/MantidPlot/src/origin/OPJFile.cpp
@@ -52,6 +52,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <limits.h>
 #include <math.h>
 #include <cstring>
 #include <algorithm> //required for std::swap
@@ -1327,6 +1328,12 @@ void OPJFile::readSpreadInfo(FILE *f, FILE *debug)
       fread(&sec_size,4,1,f);
       if(IsBigEndian()) SwapBytes(sec_size);
 
+      if (INT_MAX == sec_size) {
+        // this would end in an overflow and it's obviously wrong
+        fprintf(debug, "Error: while reading spread info, found section size: %d\n", sec_size);
+        fflush(debug);
+      }
+
     //section_body_1
       LAYER+=0x5;
       fseek(f,LAYER,SEEK_SET);
@@ -1335,6 +1342,9 @@ void OPJFile::readSpreadInfo(FILE *f, FILE *debug)
       if(col_index!=-1)
       {
         char *stmp=new char[sec_size+1];
+        if (!stmp)
+          break;
+
         stmp[sec_size]='\0';
         fread(stmp,sec_size,1,f);
         SPREADSHEET[spread].column[col_index].command=stmp;
@@ -1552,6 +1562,12 @@ void OPJFile::readExcelInfo(FILE *f, FILE *debug)
       fread(&sec_size,4,1,f);
       if(IsBigEndian()) SwapBytes(sec_size);
 
+      if (INT_MAX == sec_size) {
+        // this would end in an overflow for new[] below and it's obviously wrong
+        fprintf(debug, "Error: while reading Excel info, found section size: %d\n", sec_size);
+        fflush(debug);
+      }
+
     //section_body_1
       LAYER+=0x5;
       fseek(f,LAYER,SEEK_SET);
@@ -1802,6 +1818,12 @@ void OPJFile::readMatrixInfo(FILE *f, FILE *debug)
     fread(&sec_size,4,1,f);
     if(IsBigEndian()) SwapBytes(sec_size);
 
+    if (INT_MAX == sec_size) {
+      // this would end in an overflow for new[] below and it's obviously wrong
+      fprintf(debug, "Error: while reading matrix info, found section size: %d\n", sec_size);
+      fflush(debug);
+    }
+
   //section_body_1
     LAYER+=0x5;
     //check if it is a formula
@@ -2933,11 +2955,17 @@ void OPJFile::readProjectTreeFolder(FILE *f, FILE *debug, tree<projectNode>::ite
   fread(&namesize,4,1,f);
   if(IsBigEndian()) SwapBytes(namesize);
 
-  POS+=5;
+  if (INT_MAX == namesize) {
+    // this would cause an overflow and it's anyway obviously wrong
+    fprintf(debug, "Error: while reading project tree folder, found project/folder name size: %d\n", namesize);
+    fflush(debug);
+  }
 
   // read folder name
   char* name=new char[namesize+1];
   name[namesize]='\0';
+
+  POS+=5;
   fseek(f,POS,SEEK_SET);
   fread(name,namesize,1,f);
   tree<projectNode>::iterator current_folder=projectTree.append_child(parent, projectNode(name, 1, creation_date, modification_date));
-- 
GitLab