ofz: sanity check L_VAR2 record bounds

Change-Id: I862457a7239108974f360a87b4f6ccf433eae364
Reviewed-on: https://gerrit.libreoffice.org/37534
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 12 insertions, 1 deletions

diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 04060366a1c1..b8b5eac1853e 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -7956,10 +7956,21 @@ sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm,
                     nL = static_cast< sal_uInt16 >(pSprm[1 + mnDelta] + aSprm.nLen);
                     break;
                 case L_VAR2:
+                {
                     // Variable 2-Byte Length?
                     // Excl. Token + Var-Lengthbyte
-                    nL = static_cast< sal_uInt16 >(SVBT16ToShort( &pSprm[1 + mnDelta] ) + aSprm.nLen - 1);
+                    sal_uInt8 nIndex = 1 + mnDelta;
+                    sal_uInt16 nCount;
+                    if (nIndex + 1 >= nRemLen)
+                    {
+                        SAL_WARN("sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong");
+                        nCount = 0;
+                    }
+                    else
+                        nCount = SVBT16ToShort(&pSprm[nIndex]);
+                    nL = static_cast< sal_uInt16 >(nCount + aSprm.nLen - 1);
                     break;
+                }
                 default:
                     OSL_ENSURE(false, "Unknown sprm variant");
                     break;