[Libreoffice-bugs] [Bug 121795] New: Potential buffer overflow in PPTWriter::ImplWriteParagraphs

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Thu Nov 29 10:09:01 UTC 2018 

https://bugs.documentfoundation.org/show_bug.cgi?id=121795

            Bug ID: 121795
           Summary: Potential buffer overflow in
                    PPTWriter::ImplWriteParagraphs
           Product: LibreOffice
           Version: 6.0.7.1 rc
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: Impress
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: eupharina at ispras.ru

Description:
We've used our static analyzer Svace to check the Libreoffice source code
(version 6.0.7.1), both for benchmarking our analysis and for being helpful to
the open source community. We have found the following suspicious code snippet
(source locations are cited as in the current master):

In sd/source/filter/eppt/epptso.cxx there is PPTWriter::ImplWriteParagraphs
method on line 662. On lines 667-670, there is the following code:

        nDepth = pPara->nDepth;
        if ( nDepth > 4)
            nDepth = 4;

This condition suggests that pPara->nDepth may be greater than 4, yet later in
the code when calling mpStyleSheet->IsHardAttribute at lines 714, 718, 721,
724, pPara->nDepth is used as nLevel parameter. Then inside IsHardAttribute the
nLevel variable is used as the index for the maParaLevel array of size 5 in
line 414 of pptx-stylesheet.cxx:

const PPTExParaLevel& rPara = mpParaSheet[ nInstance ]->maParaLevel[ nLevel ];

and then rPara is dereferenced inside the switch operator.

It seems that nDepth should be used instead of pPara->nDepth as in the similar
calls to IsHardAttribute at lines 730, 745 and others.

We would like to know if such bug reports are useful for you and whether this
is the right place to file them.


Steps to Reproduce:
Found the suspicious source code as a result of running static analysis over
it.

Actual Results:
Inconsistencies in using nDepth and pPara->nDepth in the cited code.

Expected Results:
Consistently use nDepth instead.


Reproducible: Didn't try


User Profile Reset: No



Additional Info:

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20181129/d47c1630/attachment.html>

More information about the Libreoffice-bugs mailing list