ofz#6576 check border param len

Change-Id: Ie479ef953b7c0f4a30afdafa27a9be121a346562 Reviewed-on: https://gerrit.libreoffice.org/50456 Reviewed-by: Michael Stahl <mstahl@redhat.com> Tested-by: Jenkins <ci@libreoffice.org>
author: Caolán McNamara <caolanm@redhat.com> 2018-02-27 16:17:04 +0000
committer: Michael Stahl <mstahl@redhat.com> 2018-02-27 20:15:48 +0100
commit: 0ad7f0ceb897963b5e2051bf86009e97fc81a300 (patch)
tree: 5251c61145e64e31d97f57d561f1de22fc177383 /sw
parent: b9910e87de4eea1cb3684bb7af8e58d681cbe809 (diff)
2 files changed, 25 insertions, 4 deletions
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index b0af113b8194..23e27a127713 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1034,7 +1034,7 @@ struct WW8TabBandDesc
     void ReadDef(bool bVer67, const sal_uInt8* pS, short nLen);
     void ProcessDirection(const sal_uInt8* pParams);
     void ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSetBRC);
-    void ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams);
+    void ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams, sal_uInt16 nParamsLen);
     void ProcessSprmTDxaCol(const sal_uInt8* pParamsTDxaCol);
     void ProcessSprmTDelete(const sal_uInt8* pParamsTDelete);
     void ProcessSprmTInsert(const sal_uInt8* pParamsTInsert);
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 43320f9efb2e..1ab43e948b90 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1403,11 +1403,16 @@ void WW8TabBandDesc::ProcessSprmTSetBRC(int nBrcVer, const sal_uInt8* pParamsTSe
 
 }
 
-void WW8TabBandDesc::ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams)
+void WW8TabBandDesc::ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pParams, sal_uInt16 nParamsLen)
 {
     // sprmTTableBorders
     if( nBrcVer == 6 )
     {
+        if (nParamsLen < sizeof(WW8_BRCVer6) * 6)
+        {
+            SAL_WARN("sw.ww8", "table border property is too short");
+            return;
+        }
         WW8_BRCVer6 const *pVer6 = reinterpret_cast<WW8_BRCVer6 const *>(pParams);
         for (int i = 0; i < 6; ++i)
             aDefBrcs[i] = WW8_BRCVer9(WW8_BRC(pVer6[i]));
@@ -1415,11 +1420,23 @@ void WW8TabBandDesc::ProcessSprmTTableBorders(int nBrcVer, const sal_uInt8* pPar
     else if ( nBrcVer == 8 )
     {
         static_assert(sizeof (WW8_BRC) == 4, "this has to match the msword size");
+        if (nParamsLen < sizeof(WW8_BRC) * 6)
+        {
+            SAL_WARN("sw.ww8", "table border property is too short");
+            return;
+        }
         for( int i = 0; i < 6; ++i )
             aDefBrcs[i] = WW8_BRCVer9(reinterpret_cast<WW8_BRC const *>(pParams)[i]);
     }
     else
+    {
+        if (nParamsLen < sizeof( aDefBrcs ))
+        {
+            SAL_WARN("sw.ww8", "table border property is too short");
+            return;
+        }
         memcpy( aDefBrcs, pParams, sizeof( aDefBrcs ) );
+    }
 }
 
 void WW8TabBandDesc::ProcessSprmTDxaCol(const sal_uInt8* pParamsTDxaCol)
@@ -1900,7 +1917,9 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
         const sal_uInt8* pShadeSprm = nullptr;
         const sal_uInt8* pNewShadeSprm = nullptr;
         const sal_uInt8* pTableBorders = nullptr;
+        sal_uInt16 nTableBordersLen = 0;
         const sal_uInt8* pTableBorders90 = nullptr;
+        sal_uInt16 nTableBorders90Len = 0;
         std::vector<const sal_uInt8*> aTSetBrcs, aTSetBrc90s;
         WW8_TablePos *pTabPos  = nullptr;
 
@@ -1956,9 +1975,11 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
                         break;
                     case sprmTTableBorders:
                         pTableBorders = pParams; // process at end
+                        nTableBordersLen = nLen;
                         break;
                     case sprmTTableBorders90:
                         pTableBorders90 = pParams; // process at end
+                        nTableBorders90Len = nLen;
                         break;
                     case sprmTTableHeader:
                         // tdf#105570
@@ -2049,10 +2070,10 @@ WW8TabDesc::WW8TabDesc(SwWW8ImplReader* pIoClass, WW8_CP nStartCp) :
             if (pNewShadeSprm)
                 pNewBand->ReadNewShd(pNewShadeSprm, bOldVer);
             if (pTableBorders90)
-                pNewBand->ProcessSprmTTableBorders(9, pTableBorders90);
+                pNewBand->ProcessSprmTTableBorders(9, pTableBorders90, nTableBorders90Len);
             else if (pTableBorders)
                 pNewBand->ProcessSprmTTableBorders(bOldVer ? 6 : 8,
-                    pTableBorders);
+                    pTableBorders, nTableBordersLen);
             std::vector<const sal_uInt8*>::const_iterator iter;
             for (iter = aTSetBrcs.begin(); iter != aTSetBrcs.end(); ++iter)
                 pNewBand->ProcessSprmTSetBRC(bOldVer ? 6 : 8, *iter);
author	Caolán McNamara <caolanm@redhat.com>	2018-02-27 16:17:04 +0000
committer	Michael Stahl <mstahl@redhat.com>	2018-02-27 20:15:48 +0100
commit	0ad7f0ceb897963b5e2051bf86009e97fc81a300 (patch)
tree	5251c61145e64e31d97f57d561f1de22fc177383 /sw
parent	b9910e87de4eea1cb3684bb7af8e58d681cbe809 (diff)