[Libreoffice-commits] .: Branch 'libreoffice-3-4' - sd/source
Petr Mladek
pmladek at kemper.freedesktop.org
Fri Apr 29 07:53:52 PDT 2011
sd/source/filter/ppt/propread.cxx | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 4c57026b92a862bfae3cb7d6c35889d2844fd5cd
Author: Radek Doulik <rodo at novell.com>
Date: Fri Apr 29 16:51:52 2011 +0200
sd-ppt-fix-document-summary-reading.diff: crasher fix (bnc#546758)
fix problem in ppt reading causing crash or memory saturation
diff --git a/sd/source/filter/ppt/propread.cxx b/sd/source/filter/ppt/propread.cxx
index e9d0fbf..726b756 100644
--- a/sd/source/filter/ppt/propread.cxx
+++ b/sd/source/filter/ppt/propread.cxx
@@ -504,7 +504,9 @@ void Section::Read( SvStorageStream *pStrm )
case VT_LPWSTR :
*pStrm >> nTemp;
- nPropSize += ( nTemp << 1 ) + 4;
+ // looks like these are aligned to 4 bytes
+ sal_uInt32 nLength = nPropOfs + nSecOfs + nPropSize + ( nTemp << 1 ) + 4;
+ nPropSize += ( nTemp << 1 ) + 4 + (nLength % 4);
break;
case VT_BLOB_OBJECT :
@@ -540,6 +542,9 @@ void Section::Read( SvStorageStream *pStrm )
break;
}
pStrm->Seek( nPropOfs + nSecOfs );
+ // make sure we don't overflow the section size
+ if( nPropSize > nSecSize - nSecOfs )
+ nPropSize = nSecSize - nSecOfs;
sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
pStrm->Read( pBuf, nPropSize );
AddProperty( nPropId, pBuf, nPropSize );
More information about the Libreoffice-commits
mailing list