Conditional jump or move depends on uninitialised value(s)

at 0x2DC948DF: connectivity::dbase::ODbaseTable::fillColumns() (DTable.cxx:330) ... by 0x2C57E3B3: ScDocShell::DBaseImport(rtl::OUString const&, unsigned short, ScColWidthParam*, ScFlatBoolRowSegments&) (docsh8.cxx:345) bff + valgrind: sf_52f907dbea3069ba59ef1e183a0f4160-430.pcx fuzz a pcx long enough and it turns into a dbase file Change-Id: Idf1622d6b55ae2cca381f263333d0ab0b6a469b2
author: Caolán McNamara <caolanm@redhat.com> 2014-08-08 15:55:02 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2014-08-09 13:35:48 +0100
commit: a9201a4dfe54d920ff6272aae949eefb7888dc20 (patch)
tree: be0bb6966c8e31d0c56e9ea43d91d58be27d7c8e /connectivity
parent: 1b7d2016f3227afafb31c3ff3fadab68247440f4 (diff)
1 files changed, 16 insertions, 4 deletions
diff --git a/connectivity/source/drivers/dbase/DTable.cxx b/connectivity/source/drivers/dbase/DTable.cxx
index 5d04f13117e1..b205958da3bc 100644
--- a/connectivity/source/drivers/dbase/DTable.cxx
+++ b/connectivity/source/drivers/dbase/DTable.cxx
@@ -322,13 +322,20 @@ void ODbaseTable::fillColumns()
     for (; i < nFieldCount; i++)
     {
         DBFColumn aDBFColumn;
-        m_pFileStream->Read((char*)&aDBFColumn, sizeof(aDBFColumn));
+        sal_Size nRead = m_pFileStream->Read(&aDBFColumn, sizeof(aDBFColumn));
+        if (nRead != sizeof(aDBFColumn))
+        {
+            SAL_WARN("connectivity.drivers", "ODbaseTable::fillColumns: short read!");
+            break;
+        }
         if ( FIELD_DESCRIPTOR_TERMINATOR == aDBFColumn.db_fnm[0] ) // 0x0D stored as the Field Descriptor terminator.
             break;
 
-        bool bIsRowVersion = bFoxPro && ( aDBFColumn.db_frei2[0] & 0x01 ) == 0x01;
+        aDBFColumn.db_fnm[sizeof(aDBFColumn.db_fnm)-1] = 0; //ensure null termination for broken input
         const OUString aColumnName((const char *)aDBFColumn.db_fnm, strlen((const char *)aDBFColumn.db_fnm), m_eEncoding);
 
+        bool bIsRowVersion = bFoxPro && ( aDBFColumn.db_frei2[0] & 0x01 ) == 0x01;
+
         m_aRealFieldLengths.push_back(aDBFColumn.db_flng);
         sal_Int32 nPrecision = aDBFColumn.db_flng;
         sal_Int32 eType;
@@ -2605,7 +2612,12 @@ bool ODbaseTable::seekRow(IResultSetHelper::Movement eCursorPosition, sal_Int32
         if (m_pFileStream->GetError() != ERRCODE_NONE)
             goto Error;
 
-        m_pFileStream->Read((char*)m_pBuffer, nEntryLen);
+        sal_Size nRead = m_pFileStream->Read((char*)m_pBuffer, nEntryLen);
+        if (nRead != nEntryLen)
+        {
+            SAL_WARN("connectivity.drivers", "ODbaseTable::seekRow: short read!");
+            goto Error;
+        }
         if (m_pFileStream->GetError() != ERRCODE_NONE)
             goto Error;
     }
@@ -2728,7 +2740,7 @@ void ODbaseTable::AllocBuffer()
     if (m_pBuffer == NULL && nSize > 0)
     {
         m_nBufferSize = nSize;
-        m_pBuffer       = new sal_uInt8[m_nBufferSize+1];
+        m_pBuffer = new sal_uInt8[m_nBufferSize+1];
     }
 }
author	Caolán McNamara <caolanm@redhat.com>	2014-08-08 15:55:02 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2014-08-09 13:35:48 +0100
commit	a9201a4dfe54d920ff6272aae949eefb7888dc20 (patch)
tree	be0bb6966c8e31d0c56e9ea43d91d58be27d7c8e /connectivity
parent	1b7d2016f3227afafb31c3ff3fadab68247440f4 (diff)