From 13ca751a69f1aed666eade43d464b357dbe3c1af Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 12 Apr 2017 12:52:40 +0100
Subject: ofz: timeout, guard against going backwards

Change-Id: Ib91ae165147582bdb44690215a1df6f01ede796b
---
 sw/source/filter/ww8/ww8par2.cxx |  4 ++--
 sw/source/filter/ww8/ww8scan.cxx | 19 +++++++++++++------
 sw/source/filter/ww8/ww8scan.hxx |  4 ++--
 3 files changed, 17 insertions(+), 10 deletions(-)

(limited to 'sw/source/filter')

diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 6e488a1328bc..9787ad27cfaa 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -3983,7 +3983,7 @@ void WW8RStyle::Import1Style( sal_uInt16 nNr )
 
     pStStrm->Seek( rSI.m_nFilePos );
 
-    short nSkip, cbStd;
+    sal_uInt16 nSkip, cbStd;
     OUString sName;
 
     std::unique_ptr<WW8_STD> xStd(Read1Style(nSkip, &sName, &cbStd));// read Style
@@ -4075,10 +4075,10 @@ void WW8RStyle::ScanStyles()        // investigate style dependencies
 {                                   // and detect Filepos for each Style
     for (sal_uInt16 i = 0; i < cstd; ++i)
     {
-        short nSkip;
         SwWW8StyInf &rSI = pIo->m_vColl[i];
 
         rSI.m_nFilePos = pStStrm->Tell();        // remember FilePos
+        sal_uInt16 nSkip;
         WW8_STD* pStd = Read1Style( nSkip, nullptr, nullptr );  // read STD
         rSI.m_bValid = (nullptr != pStd);
         if (rSI.m_bValid)
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 49b564434561..322f16c89876 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -6563,7 +6563,7 @@ WW8Style::WW8Style(SvStream& rStream, WW8Fib& rFibPara)
 // so it has no empty slot, we should allocate memory and a pointer should
 // reference to STD (perhaps filled with 0). If the slot is empty,
 // it will return a null pointer.
-WW8_STD* WW8Style::Read1STDFixed( short& rSkip, short* pcbStd )
+WW8_STD* WW8Style::Read1STDFixed(sal_uInt16& rSkip, sal_uInt16* pcbStd)
 {
     WW8_STD* pStd = nullptr;
 
@@ -6635,18 +6635,19 @@ WW8_STD* WW8Style::Read1STDFixed( short& rSkip, short* pcbStd )
     return pStd;
 }
 
-WW8_STD* WW8Style::Read1Style( short& rSkip, OUString* pString, short* pcbStd )
+WW8_STD* WW8Style::Read1Style(sal_uInt16& rSkip, OUString* pString, sal_uInt16* pcbStd)
 {
     // Attention: MacWord-Documents have their Stylenames
     // always in ANSI, even if eStructCharSet == CHARSET_MAC !!
 
-    WW8_STD* pStd = Read1STDFixed( rSkip, pcbStd );         // read STD
+    WW8_STD* pStd = Read1STDFixed(rSkip, pcbStd);         // read STD
 
     // string desired?
     if( pString )
     {   // real style?
         if ( pStd )
         {
+            sal_Int32 nLenStringBytes = 0;
             switch( rFib.m_nVersion )
             {
                 case 6:
@@ -6654,7 +6655,7 @@ WW8_STD* WW8Style::Read1Style( short& rSkip, OUString* pString, short* pcbStd )
                     // read pascal string
                     *pString = read_uInt8_BeltAndBracesString(rSt, RTL_TEXTENCODING_MS_1252);
                     // leading len and trailing zero --> 2
-                    rSkip -= pString->getLength() + 2;
+                    nLenStringBytes = pString->getLength() + 2;
                     break;
                 case 8:
                     // handle Unicode-String with leading length short and
@@ -6662,7 +6663,7 @@ WW8_STD* WW8Style::Read1Style( short& rSkip, OUString* pString, short* pcbStd )
                     if (TestBeltAndBraces(rSt))
                     {
                         *pString = read_uInt16_BeltAndBracesString(rSt);
-                        rSkip -= (pString->getLength() + 2) * 2;
+                        nLenStringBytes = (pString->getLength() + 2) * 2;
                     }
                     else
                     {
@@ -6678,13 +6679,19 @@ WW8_STD* WW8Style::Read1Style( short& rSkip, OUString* pString, short* pcbStd )
                         */
                         *pString = read_uInt8_BeltAndBracesString(rSt,RTL_TEXTENCODING_MS_1252);
                         // leading len and trailing zero --> 2
-                        rSkip -= pString->getLength() + 2;
+                        nLenStringBytes = pString->getLength() + 2;
                     }
                     break;
                 default:
                     OSL_ENSURE(false, "Es wurde vergessen, nVersion zu kodieren!");
                     break;
             }
+            if (nLenStringBytes > rSkip)
+            {
+                SAL_WARN("sw.ww8", "WW8Style structure corrupt");
+                nLenStringBytes = rSkip;
+            }
+            rSkip -= nLenStringBytes;
         }
         else
             pString->clear();   // can not return a name
diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
index ab1fef0ee42c..c0ead8a7936e 100644
--- a/sw/source/filter/ww8/ww8scan.hxx
+++ b/sw/source/filter/ww8/ww8scan.hxx
@@ -1563,8 +1563,8 @@ protected:
 
 public:
     WW8Style( SvStream& rSt, WW8Fib& rFibPara );
-    WW8_STD* Read1STDFixed( short& rSkip, short* pcbStd );
-    WW8_STD* Read1Style( short& rSkip, OUString* pString, short* pcbStd );
+    WW8_STD* Read1STDFixed(sal_uInt16& rSkip, sal_uInt16* pcbStd);
+    WW8_STD* Read1Style(sal_uInt16& rSkip, OUString* pString, sal_uInt16* pcbStd);
     sal_uInt16 GetCount() const { return cstd; }
 };
 
-- 
cgit