diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-11-28 10:55:39 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-11-28 17:33:24 +0100 |
| commit | 97dabf63f6d0a432afcd176f669b272ca939a29f (patch) | |
| tree | fc2ea1b936dcade2a4c841e135c9ad7ebbb7ad43 /sw | |
| parent | 184f6dd697a2d218975c9055442e35bec4ed3144 (diff) | |
ofz#4471 check sprm bounds
and don't reuse results of previous search
Change-Id: I15d55aba260377f2f43627d775adf1a01370ae3e
Reviewed-on: https://gerrit.libreoffice.org/45406
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sw')
| -rw-r--r-- | sw/source/filter/ww8/ww8par6.cxx | 13 | ||||
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 9 |
2 files changed, 15 insertions, 7 deletions
diff --git a/sw/source/filter/ww8/ww8par6.cxx b/sw/source/filter/ww8/ww8par6.cxx index f6bf8446ecbc..3678807b542f 100644 --- a/sw/source/filter/ww8/ww8par6.cxx +++ b/sw/source/filter/ww8/ww8par6.cxx @@ -1266,24 +1266,25 @@ static sal_uInt8 lcl_ReadBorders(bool bVer67, WW8_BRCVer9* brc, WW8PLCFx_Cp_FKP* { if( !bVer67 ) { - SprmResult aSprm[4]; - + SprmResult a8Sprm[4]; if (pSep->Find4Sprms( NS_sprm::sprmSBrcTop80, NS_sprm::sprmSBrcLeft80, NS_sprm::sprmSBrcBottom80, NS_sprm::sprmSBrcRight80, - aSprm[0], aSprm[1], aSprm[2], aSprm[3])) + a8Sprm[0], a8Sprm[1], a8Sprm[2], a8Sprm[3])) { for( int i = 0; i < 4; ++i ) - nBorder |= int(SetWW8_BRC(8, brc[i], aSprm[i].pSprm, aSprm[i].nRemainingData))<<i; + nBorder |= int(SetWW8_BRC(8, brc[i], a8Sprm[i].pSprm, a8Sprm[i].nRemainingData))<<i; } + // Version 9 BRCs if present will override version 8 + SprmResult a9Sprm[4]; if (pSep->Find4Sprms( NS_sprm::sprmSBrcTop, NS_sprm::sprmSBrcLeft, NS_sprm::sprmSBrcBottom, NS_sprm::sprmSBrcRight, - aSprm[0], aSprm[1], aSprm[2], aSprm[3])) + a9Sprm[0], a9Sprm[1], a9Sprm[2], a9Sprm[3])) { for( int i = 0; i < 4; ++i ) - nBorder |= int(SetWW8_BRC(9, brc[i], aSprm[i].pSprm, aSprm[i].nRemainingData))<<i; + nBorder |= int(SetWW8_BRC(9, brc[i], a9Sprm[i].pSprm, a9Sprm[i].nRemainingData))<<i; } } } diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index e52a14b9671a..2e6e16c092f6 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -3731,7 +3731,14 @@ bool WW8PLCFx_SEPX::Find4Sprms(sal_uInt16 nId1,sal_uInt16 nId2,sal_uInt16 nId3,s { // Sprm found? const sal_uInt16 nAktId = maSprmParser.GetSprmId(pSp); - const sal_uInt16 x = maSprmParser.GetSprmSize(nAktId, pSp, nSprmSiz - i); + sal_Int32 nRemLen = nSprmSiz - i; + const sal_uInt16 x = maSprmParser.GetSprmSize(nAktId, pSp, nRemLen); + bool bValid = x <= nRemLen; + if (!bValid) + { + SAL_WARN("sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong"); + break; + } bool bOk = true; if( nAktId == nId1 ) { |