sw: try to limit rowspan/colspan attributes a bit

Not sure what would be a reasonable maximum, but this should at least limit fuzzing to 64k cells at a time. Change-Id: I03c8f828be7ca2d5caeb1f318b55e25ab3f528ef Reviewed-on: https://gerrit.libreoffice.org/48589 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de> Reviewed-by: Caolán McNamara <caolanm@redhat.com> Tested-by: Caolán McNamara <caolanm@redhat.com>
author: Michael Stahl <mstahl@redhat.com> 2018-01-25 13:20:55 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2018-01-25 21:31:07 +0100
commit: 0628693eaf056fedf4d82be8f58f0b87ab7dc20b (patch)
tree: 0a3a838c051e1b665f6f4614f2e5e54ecb3a11ca /sw/source/filter/html/htmltab.cxx
parent: c97d67631724c29fa665c5f0aaad0a0fd9a061ee (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/sw/source/filter/html/htmltab.cxx b/sw/source/filter/html/htmltab.cxx
index 178121062d1a..b80020e80e8a 100644
--- a/sw/source/filter/html/htmltab.cxx
+++ b/sw/source/filter/html/htmltab.cxx
@@ -30,6 +30,7 @@
 #include <editeng/lrspitem.hxx>
 #include <editeng/formatbreakitem.hxx>
 #include <editeng/spltitem.hxx>
+#include <unotools/configmgr.hxx>
 #include <svtools/htmltokn.h>
 #include <svtools/htmlkywd.hxx>
 #include <svl/urihelper.hxx>
@@ -2857,9 +2858,19 @@ CellSaveStruct::CellSaveStruct( SwHTMLParser& rParser, HTMLTable const *pCurTabl
                 break;
             case HtmlOptionId::COLSPAN:
                 m_nColSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+                if (m_nColSpan > 256)
+                {
+                    SAL_INFO("sw.html", "ignoring huge COLSPAN " << m_nColSpan);
+                    m_nColSpan = 1;
+                }
                 break;
             case HtmlOptionId::ROWSPAN:
                 m_nRowSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+                if (m_nRowSpan > 8192 || (m_nRowSpan > 256 && utl::ConfigManager::IsFuzzing()))
+                {
+                    SAL_INFO("sw.html", "ignoring huge ROWSPAN " << m_nRowSpan);
+                    m_nRowSpan = 1;
+                }
                 break;
             case HtmlOptionId::ALIGN:
                 m_eAdjust = rOption.GetEnum( aHTMLPAlignTable, m_eAdjust );
@@ -4265,6 +4276,11 @@ void SwHTMLParser::BuildTableColGroup( HTMLTable *pCurTable,
                     break;
                 case HtmlOptionId::SPAN:
                     pSaveStruct->nColGrpSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+                    if (pSaveStruct->nColGrpSpan > 256)
+                    {
+                        SAL_INFO("sw.html", "ignoring huge SPAN " << pSaveStruct->nColGrpSpan);
+                        pSaveStruct->nColGrpSpan = 1;
+                    }
                     break;
                 case HtmlOptionId::WIDTH:
                     pSaveStruct->nColGrpWidth = static_cast<sal_uInt16>(rOption.GetNumber());
@@ -4347,6 +4363,11 @@ void SwHTMLParser::BuildTableColGroup( HTMLTable *pCurTable,
                         break;
                     case HtmlOptionId::SPAN:
                         nColSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+                        if (nColSpan > 256)
+                        {
+                            SAL_INFO("sw.html", "ignoring huge SPAN " << nColSpan);
+                            nColSpan = 1;
+                        }
                         break;
                     case HtmlOptionId::WIDTH:
                         nColWidth = static_cast<sal_uInt16>(rOption.GetNumber());
author	Michael Stahl <mstahl@redhat.com>	2018-01-25 13:20:55 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2018-01-25 21:31:07 +0100
commit	0628693eaf056fedf4d82be8f58f0b87ab7dc20b (patch)
tree	0a3a838c051e1b665f6f4614f2e5e54ecb3a11ca /sw/source/filter/html/htmltab.cxx
parent	c97d67631724c29fa665c5f0aaad0a0fd9a061ee (diff)