From 96976553c41e8e7af47ad3d25927f5018279f6c7 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Sat, 21 Oct 2017 16:59:19 +0100
Subject: check ppt property size against max available len
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: Ie99a68ea34edfb480d41cf832d3044f4bf686585
Reviewed-on: https://gerrit.libreoffice.org/43661
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
---
 sd/source/filter/ppt/propread.cxx | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'sd')

diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx
index ed1f9e4923d2..6854a7dc1a44 100644
--- a/sd/source/filter/ppt/propread.cxx
+++ b/sd/source/filter/ppt/propread.cxx
@@ -326,7 +326,13 @@ void Section::Read( SotStorageStream *pStrm )
 
     mnTextEnc = RTL_TEXTENCODING_MS_1252;
     sal_uInt32 nSecSize(0), nPropCount(0);
-    pStrm->ReadUInt32( nSecSize ).ReadUInt32( nPropCount );
+    pStrm->ReadUInt32(nSecSize).ReadUInt32(nPropCount);
+    if (nSecSize > nStrmSize)
+    {
+        SAL_WARN("sd.filter", "Section Len " << nSecSize << " claimed, only " << nStrmSize << " possible");
+        nSecSize = nStrmSize;
+    }
+
     while (nPropCount--)
     {
         sal_uInt32 nPropId(0), nPropOfs(0);
@@ -514,7 +520,7 @@ void Section::Read( SotStorageStream *pStrm )
         }
         pStrm->Seek(nCurrent);
     }
-    pStrm->Seek( nSecOfs + nSecSize );
+    pStrm->Seek(nSecOfs + nSecSize);
 }
 
 Section& Section::operator=( const Section& rSection )
-- 
cgit