diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-10-29 20:30:29 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-10-30 11:17:38 +0100 |
| commit | baefc8a1d7f01fb4717db72854abc06649335397 (patch) | |
| tree | 4eab5af370cf2571b0be0b28745674a797bcc1b6 /sw/source | |
| parent | 236b7e19bb22e11f64765918c153a9ab0a8e53d2 (diff) | |
ofz#3896 Integer-overflow
Change-Id: Ib7d3c8bd1a5db9f6b35e928743a701a9a95403ca
Reviewed-on: https://gerrit.libreoffice.org/44031
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sw/source')
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index e2a2a87f9daa..3f5d39c8f3c8 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -3346,8 +3346,33 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p) bIsUnicode); } - nLimitFC = nBeginLimitFC + - (nCpEnd - nCpStart) * (bIsUnicode ? 2 : 1); + WW8_CP nCpLen; + bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + pPieceIter->SetIdx(nOldPos); + return; + } + + if (bIsUnicode) + { + bFail = o3tl::checked_multiply<WW8_CP>(nCpLen, 2, nCpLen); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + pPieceIter->SetIdx(nOldPos); + return; + } + } + + bFail = o3tl::checked_add(nBeginLimitFC, nCpLen, nLimitFC); + if (bFail) + { + SAL_WARN("sw.ww8", "broken offset, ignoring"); + pPieceIter->SetIdx(nOldPos); + return; + } if (nOldEndPos <= nLimitFC) { @@ -3398,8 +3423,7 @@ void WW8PLCFx_Cp_FKP::GetSprms(WW8PLCFxDesc* p) nFcStart,bIsUnicode ); } - WW8_CP nCpLen; - bool bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen); + bFail = o3tl::checked_sub(nCpEnd, nCpStart, nCpLen); if (bFail) { SAL_WARN("sw.ww8", "broken offset, ignoring"); |