From a9201a4dfe54d920ff6272aae949eefb7888dc20 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Fri, 8 Aug 2014 15:55:02 +0100
Subject: Conditional jump or move depends on uninitialised value(s)

   at 0x2DC948DF: connectivity::dbase::ODbaseTable::fillColumns() (DTable.cxx:330)
...
   by 0x2C57E3B3: ScDocShell::DBaseImport(rtl::OUString const&, unsigned short, ScColWidthParam*, ScFlatBoolRowSegments&) (docsh8.cxx:345)

bff + valgrind: sf_52f907dbea3069ba59ef1e183a0f4160-430.pcx
fuzz a pcx long enough and it turns into a dbase file

Change-Id: Idf1622d6b55ae2cca381f263333d0ab0b6a469b2
---
 connectivity/source/drivers/dbase/DTable.cxx | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'connectivity')

diff --git a/connectivity/source/drivers/dbase/DTable.cxx b/connectivity/source/drivers/dbase/DTable.cxx
index 5d04f13117e1..b205958da3bc 100644
--- a/connectivity/source/drivers/dbase/DTable.cxx
+++ b/connectivity/source/drivers/dbase/DTable.cxx
@@ -322,13 +322,20 @@ void ODbaseTable::fillColumns()
     for (; i < nFieldCount; i++)
     {
         DBFColumn aDBFColumn;
-        m_pFileStream->Read((char*)&aDBFColumn, sizeof(aDBFColumn));
+        sal_Size nRead = m_pFileStream->Read(&aDBFColumn, sizeof(aDBFColumn));
+        if (nRead != sizeof(aDBFColumn))
+        {
+            SAL_WARN("connectivity.drivers", "ODbaseTable::fillColumns: short read!");
+            break;
+        }
         if ( FIELD_DESCRIPTOR_TERMINATOR == aDBFColumn.db_fnm[0] ) // 0x0D stored as the Field Descriptor terminator.
             break;
 
-        bool bIsRowVersion = bFoxPro && ( aDBFColumn.db_frei2[0] & 0x01 ) == 0x01;
+        aDBFColumn.db_fnm[sizeof(aDBFColumn.db_fnm)-1] = 0; //ensure null termination for broken input
         const OUString aColumnName((const char *)aDBFColumn.db_fnm, strlen((const char *)aDBFColumn.db_fnm), m_eEncoding);
 
+        bool bIsRowVersion = bFoxPro && ( aDBFColumn.db_frei2[0] & 0x01 ) == 0x01;
+
         m_aRealFieldLengths.push_back(aDBFColumn.db_flng);
         sal_Int32 nPrecision = aDBFColumn.db_flng;
         sal_Int32 eType;
@@ -2605,7 +2612,12 @@ bool ODbaseTable::seekRow(IResultSetHelper::Movement eCursorPosition, sal_Int32
         if (m_pFileStream->GetError() != ERRCODE_NONE)
             goto Error;
 
-        m_pFileStream->Read((char*)m_pBuffer, nEntryLen);
+        sal_Size nRead = m_pFileStream->Read((char*)m_pBuffer, nEntryLen);
+        if (nRead != nEntryLen)
+        {
+            SAL_WARN("connectivity.drivers", "ODbaseTable::seekRow: short read!");
+            goto Error;
+        }
         if (m_pFileStream->GetError() != ERRCODE_NONE)
             goto Error;
     }
@@ -2728,7 +2740,7 @@ void ODbaseTable::AllocBuffer()
     if (m_pBuffer == NULL && nSize > 0)
     {
         m_nBufferSize = nSize;
-        m_pBuffer       = new sal_uInt8[m_nBufferSize+1];
+        m_pBuffer = new sal_uInt8[m_nBufferSize+1];
     }
 }
 
-- 
cgit