summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2013-11-07 08:48:22 +0000
committerCaolán McNamara <caolanm@redhat.com>2013-11-07 08:48:53 +0000
commitcc79b16a75efcb62cd2fe2f1ee26f6650ab082ee (patch)
treee29c727ec6e47e95043954f147ac1428bd16bfb6
parenteacb4a71ec6801f7bec491f705151844c6bfe945 (diff)
ensure string accesses are in bounds
as demonstrated by ooo39541-3.rtf Change-Id: I995f0250e98a68b1b56da877314c9fd24cf46221
Diffstat
-rw-r--r--writerfilter/source/rtftok/rtfdocumentimpl.cxx10
1 files changed, 7 insertions, 3 deletions
diff --git a/writerfilter/source/rtftok/rtfdocumentimpl.cxx b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
index f6f3b36b754d..f00ee1399877 100644
--- a/writerfilter/source/rtftok/rtfdocumentimpl.cxx
+++ b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
@@ -4041,16 +4041,20 @@ int RTFDocumentImpl::popState()
}
}
aStr = aBuf.makeStringAndClear();
+
// ignore the first bytes
if (aStr.getLength() > 8)
aStr = aStr.copy(8);
// extract name
- int nLength = aStr.toChar();
+ sal_Int32 nLength = aStr.toChar();
if (!aStr.isEmpty())
aStr = aStr.copy(1);
+ nLength = std::min(nLength, aStr.getLength());
OString aName = aStr.copy(0, nLength);
- if (!aStr.isEmpty())
+ if (aStr.getLength() > nLength)
aStr = aStr.copy(nLength+1); // zero-terminated string
+ else
+ aStr = OString();
// extract default text
nLength = aStr.toChar();
if (!aStr.isEmpty())
@@ -4059,7 +4063,7 @@ int RTFDocumentImpl::popState()
m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFData_name, pNValue);
if (nLength > 0)
{
- OString aDefaultText = aStr.copy(0, nLength);
+ OString aDefaultText = aStr.copy(0, std::min(nLength, aStr.getLength()));
RTFValue::Pointer_t pDValue(new RTFValue(OStringToOUString(aDefaultText, aState.nCurrentEncoding)));
m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFTextInput_default, pDValue);
}
generated by cgit (git 2.34.1) at 2025-03-06 04:46:12 +0000