diff options
author | Miklos Vajna <vmiklos@frugalware.org> | 2011-07-25 16:19:24 +0200 |
---|---|---|
committer | Miklos Vajna <vmiklos@frugalware.org> | 2011-07-29 17:32:39 +0200 |
commit | c67e8d76d2c8fae7081955ddf5d63d408e926cdd (patch) | |
tree | 05a264f9dbe1a95b4d7f46ab14972960fb4e91c1 /writerfilter | |
parent | 856071a7aa5543f94cfaad660af4414cae067cd6 (diff) |
fixes for CVE-2010-3333-1.rtf
Diffstat (limited to 'writerfilter')
-rw-r--r-- | writerfilter/source/rtftok/rtfdocumentimpl.cxx | 5 | ||||
-rw-r--r-- | writerfilter/source/rtftok/rtfdocumentimpl.hxx | 3 | ||||
-rw-r--r-- | writerfilter/source/rtftok/rtftokenizer.cxx | 2 |
3 files changed, 8 insertions, 2 deletions
diff --git a/writerfilter/source/rtftok/rtfdocumentimpl.cxx b/writerfilter/source/rtftok/rtfdocumentimpl.cxx index 1f12cca9e562..17cd0544e728 100644 --- a/writerfilter/source/rtftok/rtfdocumentimpl.cxx +++ b/writerfilter/source/rtftok/rtfdocumentimpl.cxx @@ -460,6 +460,9 @@ void RTFDocumentImpl::resolve(Stream & rMapper) case ERROR_HEX_INVALID: OSL_TRACE("%s: invalid hex char", OSL_THIS_FUNC); break; + case ERROR_CHAR_OVER: + OSL_TRACE("%s: characters after last '}'", OSL_THIS_FUNC); + break; } } @@ -2397,7 +2400,7 @@ int RTFDocumentImpl::popState() aAttributes = m_aStates.top().aCharacterAttributes; if (m_aStates.top().nDestinationState == DESTINATION_SHAPEPROPERTYNAME) aShape.aProperties.push_back(make_pair(m_aDestinationText.makeStringAndClear(), OUString())); - else if (m_aStates.top().nDestinationState == DESTINATION_SHAPEPROPERTYVALUE) + else if (m_aStates.top().nDestinationState == DESTINATION_SHAPEPROPERTYVALUE && aShape.aProperties.size()) aShape.aProperties.back().second = m_aDestinationText.makeStringAndClear(); bPopShapeProperties = true; } diff --git a/writerfilter/source/rtftok/rtfdocumentimpl.hxx b/writerfilter/source/rtftok/rtfdocumentimpl.hxx index d82e06ecc085..e86ae5e10d8f 100644 --- a/writerfilter/source/rtftok/rtfdocumentimpl.hxx +++ b/writerfilter/source/rtftok/rtfdocumentimpl.hxx @@ -125,7 +125,8 @@ namespace writerfilter { ERROR_GROUP_UNDER, ERROR_GROUP_OVER, ERROR_EOF, - ERROR_HEX_INVALID + ERROR_HEX_INVALID, + ERROR_CHAR_OVER }; /// Minimalistic buffer of elements for nested cells. diff --git a/writerfilter/source/rtftok/rtftokenizer.cxx b/writerfilter/source/rtftok/rtftokenizer.cxx index fe8a1a2d9140..46d967df2a7c 100644 --- a/writerfilter/source/rtftok/rtftokenizer.cxx +++ b/writerfilter/source/rtftok/rtftokenizer.cxx @@ -92,6 +92,8 @@ int RTFTokenizer::resolveParse() case 0x0a: break; // ignore these default: + if (m_rImport.isEmpty()) + return ERROR_CHAR_OVER; if (m_rImport.getState().nInternalState == INTERNAL_NORMAL) { if ((ret = m_rImport.resolveChars(ch))) |