diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-08-31 15:11:03 +0100 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2015-09-02 16:00:50 +0000 |
| commit | 13a0e48dd49ec811e41aaa03c3009b9a4f92bf30 (patch) | |
| tree | 721eed0cbf0de3e5a1b28cd99ee1e2d2e25a487a /sw | |
| parent | 8c9e9895648fd9315067c17d1aeee182c99d3f21 (diff) | |
check for over long record len and check reads
Change-Id: Ib77ce1b95db2dc4396f4fd2fdcff4c0344b20c9e
(cherry picked from commit 0c191e2b757555b147ebab1688e72acde28062a1)
Reviewed-on: https://gerrit.libreoffice.org/18180
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Miklos Vajna <vmiklos@collabora.co.uk>
Diffstat (limited to 'sw')
| -rw-r--r-- | sw/qa/core/data/ww8/pass/hang-7.doc | bin | 0 -> 28160 bytes | |||
| -rw-r--r-- | sw/source/filter/ww8/ww8toolbar.cxx | 44 |
2 files changed, 26 insertions, 18 deletions
diff --git a/sw/qa/core/data/ww8/pass/hang-7.doc b/sw/qa/core/data/ww8/pass/hang-7.doc Binary files differnew file mode 100644 index 000000000000..a52a452fea93 --- /dev/null +++ b/sw/qa/core/data/ww8/pass/hang-7.doc diff --git a/sw/source/filter/ww8/ww8toolbar.cxx b/sw/source/filter/ww8/ww8toolbar.cxx index e33a8c50f0fc..1232d44094f3 100644 --- a/sw/source/filter/ww8/ww8toolbar.cxx +++ b/sw/source/filter/ww8/ww8toolbar.cxx @@ -167,7 +167,7 @@ bool SwCTBWrapper::Read( SvStream& rS ) { rCustomizations[ *it ].bIsDroppedMenuTB = true; } - return true; + return rS.good(); } SwTBC* SwCTBWrapper::GetTBCAtOffset( sal_uInt32 nStreamOffset ) @@ -285,7 +285,7 @@ bool Customization::Read( SvStream &rS) if ( !customizationDataCTB->Read( rS ) ) return false; } - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -455,7 +455,7 @@ bool TBDelta::Read(SvStream &rS) nOffSet = rS.Tell(); rS.ReadUChar( doprfatendFlags ).ReadUChar( ibts ).ReadInt32( cidNext ).ReadInt32( cid ).ReadInt32( fc ) ; rS.ReadUInt16( CiTBDE ).ReadUInt16( cbTBC ); - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -525,7 +525,7 @@ bool SwCTB::Read( SvStream &rS) rTBC.push_back( aTBC ); } } - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -638,7 +638,7 @@ bool SwTBC::Read( SvStream &rS ) if ( !tbcd->Read( rS ) ) return false; } - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -778,7 +778,7 @@ Xst::Read( SvStream& rS ) SAL_INFO("sw.ww8","Xst::Read() stream pos 0x" << std::hex << rS.Tell() ); nOffSet = rS.Tell(); sString = read_uInt16_PascalString(rS); - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -914,7 +914,7 @@ bool Tcg255::Read(SvStream &rS) nId = 0x40; rS.ReadUChar( nId ); } - return true; + return rS.good(); // Peek at } @@ -946,7 +946,7 @@ bool Tcg255SubStruct::Read(SvStream &rS) nOffSet = rS.Tell(); if ( mbReadId ) rS.ReadUChar( ch ); - return true; + return rS.good(); } PlfMcd::PlfMcd(bool bReadId) @@ -970,7 +970,7 @@ bool PlfMcd::Read(SvStream &rS) return false; } } - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -1005,7 +1005,15 @@ bool PlfAcd::Read( SvStream &rS) nOffSet = rS.Tell(); Tcg255SubStruct::Read( rS ); rS.ReadInt32( iMac ); - if ( iMac ) + if (iMac < 0) + return false; + auto nMaxPossibleRecords = rS.remainingSize() / (sizeof(sal_uInt16)*2); + if (static_cast<sal_uInt32>(iMac) > nMaxPossibleRecords) + { + SAL_WARN("sw.ww8", iMac << " records claimed, but max possible is " << nMaxPossibleRecords); + iMac = nMaxPossibleRecords; + } + if (iMac) { rgacd = new Acd[ iMac ]; for ( sal_Int32 index = 0; index < iMac; ++index ) @@ -1014,7 +1022,7 @@ bool PlfAcd::Read( SvStream &rS) return false; } } - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -1058,7 +1066,7 @@ bool PlfKme::Read(SvStream &rS) return false; } } - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -1126,7 +1134,7 @@ bool TcgSttbfCore::Read( SvStream& rS ) rS.ReadUInt16( dataItems[ index ].extraData ); } } - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -1176,7 +1184,7 @@ bool MacroNames::Read( SvStream &rS) return false; } } - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -1230,7 +1238,7 @@ Xstz::Read(SvStream &rS) rS.ReadUInt16( chTerm ); if ( chTerm != 0 ) // should be an assert return false; - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -1263,7 +1271,7 @@ Kme::Read(SvStream &rS) SAL_INFO("sw.ww8","Kme::Read() stream pos 0x" << std::hex << rS.Tell() ); nOffSet = rS.Tell(); rS.ReadInt16( reserved1 ).ReadInt16( reserved2 ).ReadUInt16( kcm1 ).ReadUInt16( kcm2 ).ReadUInt16( kt ).ReadUInt32( param ); - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -1291,7 +1299,7 @@ bool Acd::Read(SvStream &rS) SAL_INFO("sw.ww8","Acd::Read() stream pos 0x" << std::hex << rS.Tell() ); nOffSet = rS.Tell(); rS.ReadInt16( ibst ).ReadUInt16( fciBasedOnABC ); - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 @@ -1354,7 +1362,7 @@ bool MCD::Read(SvStream &rS) nOffSet = rS.Tell(); rS.ReadSChar( reserved1 ).ReadUChar( reserved2 ).ReadUInt16( ibst ).ReadUInt16( ibstName ).ReadUInt16( reserved3 ); rS.ReadUInt32( reserved4 ).ReadUInt32( reserved5 ).ReadUInt32( reserved6 ).ReadUInt32( reserved7 ); - return true; + return rS.good(); } #if OSL_DEBUG_LEVEL > 1 |