diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2015-08-24 17:21:48 +0200 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2015-08-24 19:08:21 +0000 |
| commit | 1a871f9de6b23730e26fc6e4196723f67704ac8d (patch) | |
| tree | 6a14679f2f265000521d9e4223b648720930feeb /sw | |
| parent | 32069752b94a31303fd327b0c47037072600be6c (diff) | |
Handle zero nPLCF
...as found by ASan in CppunitTest_sw_filters_test:
> Testing file:///.../sw/qa/core/data/ww6/pass/crash-1.doc:
> ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020009382b0 at pc 0x2b1dcb5eabac bp 0x7fffe8ccbdb0 sp 0x7fffe8ccbda8
> READ of size 4 at 0x6020009382b0 thread T0
> WW8PLCF::SeekPos(int) sw/source/filter/ww8/ww8scan.cxx:2219:14
> WW8PLCF::WW8PLCF(SvStream&, int, int, int, int, int, int) sw/source/filter/ww8/ww8scan.cxx:2080:9
> WW8PLCFx_Fc_FKP::WW8PLCFx_Fc_FKP(SvStream*, SvStream*, SvStream*, WW8Fib const&, ePLCFT, int) sw/source/filter/ww8/ww8scan.cxx:2883:21
> WW8PLCFx_Cp_FKP::WW8PLCFx_Cp_FKP(SvStream*, SvStream*, SvStream*, WW8ScannerBase const&, ePLCFT) sw/source/filter/ww8/ww8scan.cxx:3088:7
> WW8ScannerBase::WW8ScannerBase(SvStream*, SvStream*, SvStream*, WW8Fib*) sw/source/filter/ww8/ww8scan.cxx:1588:20
> SwWW8ImplReader::CoreLoad(WW8Glossary*, SwPosition const&) sw/source/filter/ww8/ww8par.cxx:5022:20
> SwWW8ImplReader::LoadThroughDecryption(SwPaM&, WW8Glossary*) sw/source/filter/ww8/ww8par.cxx:5767:19
> SwWW8ImplReader::LoadDoc(SwPaM&, WW8Glossary*) sw/source/filter/ww8/ww8par.cxx:6039:19
> WW8Reader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString const&) sw/source/filter/ww8/ww8par.cxx:6157:20
> SwReader::Read(Reader const&) sw/source/filter/basflt/shellio.cxx:175:18
> SwDocShell::ConvertFrom(SfxMedium&) sw/source/uibase/app/docsh.cxx:258:22
> SfxObjectShell::DoLoad(SfxMedium*) sfx2/source/doc/objstor.cxx:790:23
> SwFiltersTest::filter(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) sw/qa/core/filters-test.cxx:112:20
> SwFiltersTest::load(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int) sw/qa/core/filters-test.cxx:71:12
> test::FiltersTest::recursiveScan(test::filterStatus, rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) unotest/source/cpp/filters-test.cxx:129:20
> test::FiltersTest::testDir(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) unotest/source/cpp/filters-test.cxx:154:5
> SwFiltersTest::testCVEs() sw/qa/core/filters-test.cxx:154:5
> 0x6020009382b1 is located 0 bytes to the right of 1-byte region [0x6020009382b0,0x6020009382b1)
> allocated by thread T0 here:
> operator new[](unsigned long) /home/sbergman/clang/trunk/src/projects/compiler-rt/lib/asan/asan_new_delete.cc:64
> WW8PLCF::ReadPLCF(SvStream&, int, unsigned int) sw/source/filter/ww8/ww8scan.cxx:2091:26
> WW8PLCF::WW8PLCF(SvStream&, int, int, int, int, int, int) sw/source/filter/ww8/ww8scan.cxx:2075:9
> WW8PLCFx_Fc_FKP::WW8PLCFx_Fc_FKP(SvStream*, SvStream*, SvStream*, WW8Fib const&, ePLCFT, int) sw/source/filter/ww8/ww8scan.cxx:2883:21
> WW8PLCFx_Cp_FKP::WW8PLCFx_Cp_FKP(SvStream*, SvStream*, SvStream*, WW8ScannerBase const&, ePLCFT) sw/source/filter/ww8/ww8scan.cxx:3088:7
> WW8ScannerBase::WW8ScannerBase(SvStream*, SvStream*, SvStream*, WW8Fib*) sw/source/filter/ww8/ww8scan.cxx:1588:20
> SwWW8ImplReader::CoreLoad(WW8Glossary*, SwPosition const&) sw/source/filter/ww8/ww8par.cxx:5022:20
> SwWW8ImplReader::LoadThroughDecryption(SwPaM&, WW8Glossary*) sw/source/filter/ww8/ww8par.cxx:5767:19
> SwWW8ImplReader::LoadDoc(SwPaM&, WW8Glossary*) sw/source/filter/ww8/ww8par.cxx:6039:19
> WW8Reader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString const&) sw/source/filter/ww8/ww8par.cxx:6157:20
> SwReader::Read(Reader const&) sw/source/filter/basflt/shellio.cxx:175:18
> SwDocShell::ConvertFrom(SfxMedium&) sw/source/uibase/app/docsh.cxx:258:22
> SfxObjectShell::DoLoad(SfxMedium*) sfx2/source/doc/objstor.cxx:790:23
> SwFiltersTest::filter(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) sw/qa/core/filters-test.cxx:112:20
> SwFiltersTest::load(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int) sw/qa/core/filters-test.cxx:71:12
> test::FiltersTest::recursiveScan(test::filterStatus, rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) unotest/source/cpp/filters-test.cxx:129:20
> test::FiltersTest::testDir(rtl::OUString const&, rtl::OUString const&, rtl::OUString const&, SfxFilterFlags, SotClipboardFormatId, unsigned int, bool) unotest/source/cpp/filters-test.cxx:154:5
> SwFiltersTest::testCVEs() sw/qa/core/filters-test.cxx:154:5
Change-Id: I97d995aad621b829b6fb6ee4622d386fec0bedea
Reviewed-on: https://gerrit.libreoffice.org/17963
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sw')
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index d6231a16d24b..dcef904dce88 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -2083,7 +2083,8 @@ WW8PLCF::WW8PLCF(SvStream& rSt, WW8_FC nFilePos, sal_Int32 nPLCF, int nStruct, void WW8PLCF::ReadPLCF(SvStream& rSt, WW8_FC nFilePos, sal_uInt32 nPLCF) { sal_Size nOldPos = rSt.Tell(); - bool bValid = checkSeek(rSt, nFilePos) && (rSt.remainingSize() >= nPLCF); + bool bValid = nPLCF != 0 && checkSeek(rSt, nFilePos) + && (rSt.remainingSize() >= nPLCF); if (bValid) { |