ofz: check anldPap sprm for valid ANLD payload len

Change-Id: Ie034e3b37e01c29cf19fe8ad78b1121f6eadecb2 Reviewed-on: https://gerrit.libreoffice.org/36053 Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com> (cherry picked from commit 29cf858a971273039fff50808082f231dbd43c92) Reviewed-on: https://gerrit.libreoffice.org/36075 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Michael Stahl <mstahl@redhat.com> (cherry picked from commit 5d5731a372e540fbb9344533b6dd7e06fc123687)
author: Caolán McNamara <caolanm@redhat.com> 2017-04-03 21:22:00 +0100
committer: Andras Timar <andras.timar@collabora.com> 2017-04-07 07:53:04 +0200
commit: 89fc91553330c9b14f87032abd72fe4383f3da96 (patch)
tree: 84182eb8c4cd7033dd85adde1a361ef7c4749a90
parent: 3e2c275cb5b6697588526951155ec90327e2ba7d (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index f214d213f85b..48417eeb38a6 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -883,6 +883,13 @@ void SwWW8ImplReader::Read_ANLevelDesc( sal_uInt16, const sal_uInt8* pData, shor
         return;
     }
 
+    if (static_cast<size_t>(nLen) < sizeof(WW8_ANLD))
+    {
+        SAL_WARN("sw.ww8", "ANLevelDesc property is " << nLen << " long, needs to be at least " << sizeof(WW8_ANLD));
+        m_nSwNumLevel = 0xff;
+        return;
+    }
+
     if( m_nSwNumLevel <= MAXLEVEL         // Value range mapping WW:1..9 -> SW:0..8
         && m_nSwNumLevel <= 9 ){          // No Bullets or Numbering
author	Caolán McNamara <caolanm@redhat.com>	2017-04-03 21:22:00 +0100
committer	Andras Timar <andras.timar@collabora.com>	2017-04-07 07:53:04 +0200
commit	89fc91553330c9b14f87032abd72fe4383f3da96 (patch)
tree	84182eb8c4cd7033dd85adde1a361ef7c4749a90
parent	3e2c275cb5b6697588526951155ec90327e2ba7d (diff)