diff options
| -rw-r--r-- | include/svtools/parrtf.hxx | 1 | ||||
| -rw-r--r-- | svtools/source/svrtf/parrtf.cxx | 35 |
2 files changed, 25 insertions, 11 deletions
diff --git a/include/svtools/parrtf.hxx b/include/svtools/parrtf.hxx index 136026f56990..980b83c9cbfe 100644 --- a/include/svtools/parrtf.hxx +++ b/include/svtools/parrtf.hxx @@ -37,6 +37,7 @@ class SVT_DLLPUBLIC SvRTFParser : public SvParser<int> { std::stack< RtfParserState_Impl > aParserStates; int nOpenBrackets; + int nUPRLevel; rtl_TextEncoding eCodeSet; sal_uInt8 nUCharOverread; diff --git a/svtools/source/svrtf/parrtf.cxx b/svtools/source/svrtf/parrtf.cxx index 42fcc211b264..82d69f7881ac 100644 --- a/svtools/source/svrtf/parrtf.cxx +++ b/svtools/source/svrtf/parrtf.cxx @@ -39,6 +39,7 @@ const int MAX_STRING_LEN = 1024; SvRTFParser::SvRTFParser( SvStream& rIn, sal_uInt8 nStackSize ) : SvParser<int>( rIn, nStackSize ) , nOpenBrackets(0) + , nUPRLevel(0) , eCodeSet(RTL_TEXTENCODING_MS_1252) , nUCharOverread(1) { @@ -160,19 +161,31 @@ int SvRTFParser::GetNextToken_() break; case RTF_UPR: - if (!_inSkipGroup) { - // UPR - overread the group with the ansi - // information - int nNextToken; - do + if (!_inSkipGroup) { - nNextToken = GetNextToken_(); - } - while (nNextToken != '{' && nNextToken != sal_Unicode(EOF) && IsParserWorking()); + if (nUPRLevel > 256) // fairly sure > 1 is probably an error, but provide some leeway + { + SAL_WARN("svtools", "urp stack too deep"); + eState = SvParserState::Error; + break; + } - SkipGroup(); - GetNextToken_(); // overread the last bracket - nRet = 0; + ++nUPRLevel; + + // UPR - overread the group with the ansi + // information + int nNextToken; + do + { + nNextToken = GetNextToken_(); + } + while (nNextToken != '{' && nNextToken != sal_Unicode(EOF) && IsParserWorking()); + + SkipGroup(); + GetNextToken_(); // overread the last bracket + nRet = 0; + + --nUPRLevel; } break; |