diff options
author | Radek Doulik <rodo@novell.com> | 2011-04-29 16:51:52 +0200 |
---|---|---|
committer | Petr Mladek <pmladek@suse.cz> | 2011-04-29 16:51:52 +0200 |
commit | 53836fb680ebd6a57fd0036a9d11045f2c2b1b77 (patch) | |
tree | 6e732dc500122f6b609f8f47ea24a436681f6999 /sd/source | |
parent | 8b964297244b251f4acbe7f966a1594e05644ebc (diff) |
sd-ppt-fix-document-summary-reading.diff: crasher fix (bnc#546758)
fix problem in ppt reading causing crash or memory saturation
Diffstat (limited to 'sd/source')
-rw-r--r-- | sd/source/filter/ppt/propread.cxx | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx index 150acf381c4d..2710be58837c 100644 --- a/sd/source/filter/ppt/propread.cxx +++ b/sd/source/filter/ppt/propread.cxx @@ -504,7 +504,9 @@ void Section::Read( SvStorageStream *pStrm ) case VT_LPWSTR : *pStrm >> nTemp; - nPropSize += ( nTemp << 1 ) + 4; + // looks like these are aligned to 4 bytes + sal_uInt32 nLength = nPropOfs + nSecOfs + nPropSize + ( nTemp << 1 ) + 4; + nPropSize += ( nTemp << 1 ) + 4 + (nLength % 4); break; case VT_BLOB_OBJECT : @@ -540,6 +542,9 @@ void Section::Read( SvStorageStream *pStrm ) break; } pStrm->Seek( nPropOfs + nSecOfs ); + // make sure we don't overflow the section size + if( nPropSize > nSecSize - nSecOfs ) + nPropSize = nSecSize - nSecOfs; sal_uInt8* pBuf = new sal_uInt8[ nPropSize ]; pStrm->Read( pBuf, nPropSize ); AddProperty( nPropId, pBuf, nPropSize ); |