diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2018-01-10 09:33:38 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2018-01-10 13:57:13 +0100 |
| commit | 80074e280d95f0f72b8ba7fd8516203f6a2b7d5f (patch) | |
| tree | 1778cc867890d18279190fac2a2910427ce840b3 /sw | |
| parent | dd758f54fa5ea1ecd3d793bcea999d771010ff00 (diff) | |
ofz#5211 limit table parsing depth
Change-Id: I77b569faacc6f2655b050d09a236f78843e87560
Reviewed-on: https://gerrit.libreoffice.org/47691
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sw')
| -rw-r--r-- | sw/source/filter/html/htmltab.cxx | 4 | ||||
| -rw-r--r-- | sw/source/filter/html/swhtml.cxx | 1 | ||||
| -rw-r--r-- | sw/source/filter/html/swhtml.hxx | 19 |
3 files changed, 24 insertions, 0 deletions
diff --git a/sw/source/filter/html/htmltab.cxx b/sw/source/filter/html/htmltab.cxx index a92bd2212ab6..dbe5a5b7429b 100644 --- a/sw/source/filter/html/htmltab.cxx +++ b/sw/source/filter/html/htmltab.cxx @@ -5069,6 +5069,10 @@ std::shared_ptr<HTMLTable> SwHTMLParser::BuildTable(SvxAdjust eParentAdjust, bool bHasParentSection, bool bHasToFly) { + TableDepthGuard aGuard(*this); + if (aGuard.TooDeep()) + eState = SvParserState::Error; + if (!IsParserWorking() && !m_pPendStack) return std::shared_ptr<HTMLTable>(); diff --git a/sw/source/filter/html/swhtml.cxx b/sw/source/filter/html/swhtml.cxx index 86a305b836a8..92e87c8fef1d 100644 --- a/sw/source/filter/html/swhtml.cxx +++ b/sw/source/filter/html/swhtml.cxx @@ -300,6 +300,7 @@ SwHTMLParser::SwHTMLParser( SwDoc* pD, SwPaM& rCursor, SvStream& rIn, m_bRemoveHidden( false ), m_bBodySeen( false ), m_bReadingHeaderOrFooter( false ), + m_nTableDepth( 0 ), m_pTempViewFrame(nullptr) { m_nEventId = nullptr; diff --git a/sw/source/filter/html/swhtml.hxx b/sw/source/filter/html/swhtml.hxx index 1be17ff43d78..c86150510428 100644 --- a/sw/source/filter/html/swhtml.hxx +++ b/sw/source/filter/html/swhtml.hxx @@ -493,6 +493,8 @@ class SwHTMLParser : public SfxHTMLParser, public SwClient bool m_bBodySeen : 1; bool m_bReadingHeaderOrFooter : 1; + sal_Int32 m_nTableDepth; + /// the names corresponding to the DOCINFO field subtypes INFO[1-4] OUString m_InfoNames[4]; @@ -881,6 +883,23 @@ private: bool PendingObjectsInPaM(SwPaM& rPam) const; + class TableDepthGuard + { + private: + SwHTMLParser& m_rParser; + public: + TableDepthGuard(SwHTMLParser& rParser) + : m_rParser(rParser) + { + ++m_rParser.m_nTableDepth; + } + bool TooDeep() const { return m_rParser.m_nTableDepth > 2048; } + ~TableDepthGuard() + { + --m_rParser.m_nTableDepth; + } + }; + public: // used in tables // Create brush item (with new) or 0 |