summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2017-04-03 21:22:00 +0100
committerAndras Timar <andras.timar@collabora.com>2017-04-23 21:36:08 +0200
commit49b43bb28829169edeca4176a88599f3c3dbfd8f (patch)
tree71e5e7aaefcdcef557a3807780fdf54bbdfbcf90
parenta59cf20b63007dea06e51682ae17837b37e3af4e (diff)
ofz: check anldPap sprm for valid ANLD payload len
Change-Id: Ie034e3b37e01c29cf19fe8ad78b1121f6eadecb2 Reviewed-on: https://gerrit.libreoffice.org/36053 Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com> (cherry picked from commit 29cf858a971273039fff50808082f231dbd43c92) Reviewed-on: https://gerrit.libreoffice.org/36076 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <mstahl@redhat.com> (cherry picked from commit d9d8631d7c0142e2ddd0bec1f986cb20f339d639) (cherry picked from commit 74a1987c81059fa5e37c2c12144c583e3f3dd95e)
-rw-r--r--sw/source/filter/ww8/ww8par2.cxx7
1 files changed, 7 insertions, 0 deletions
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index c1e3ab02e2fd..4d7da746b58a 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -836,6 +836,13 @@ void SwWW8ImplReader::Read_ANLevelDesc( sal_uInt16, const sal_uInt8* pData, shor
return;
}
+ if (static_cast<size_t>(nLen) < sizeof(WW8_ANLD))
+ {
+ SAL_WARN("sw.ww8", "ANLevelDesc property is " << nLen << " long, needs to be at least " << sizeof(WW8_ANLD));
+ m_nSwNumLevel = 0xff;
+ return;
+ }
+
if( m_nSwNumLevel <= MAXLEVEL // Value range mapping WW:1..9 -> SW:0..8
&& m_nSwNumLevel <= 9 ){ // No Bullets or Numbering