[Libreoffice-commits] .: Branch 'libreoffice-3-5' - filter/source
Caolán McNamara
caolan at kemper.freedesktop.org
Fri Dec 16 03:37:32 PST 2011
filter/source/msfilter/msdffimp.cxx | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
New commits:
commit 5ec1a1dff4783437ba8f6b22db166aa10a1e9e69
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Dec 16 11:31:35 2011 +0000
avoid looping on busted escher records
(cherry picked from commit 512401decb286ba0fc3031939b8f7de8649c502e)
Signed-off-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx
index 6853c13..afc272a 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -3380,7 +3380,7 @@ sal_Bool SvxMSDffManager::SeekToShape( SvStream& rSt, void* /* pClientData */, s
rSt >> aEscherF002Hd;
sal_uLong nEscherF002End = aEscherF002Hd.GetRecEndFilePos();
DffRecordHeader aEscherObjListHd;
- while ( rSt.Tell() < nEscherF002End )
+ while (rSt.good() && rSt.Tell() < nEscherF002End)
{
rSt >> aEscherObjListHd;
if ( aEscherObjListHd.nRecVer != 0xf )
@@ -3417,6 +3417,8 @@ bool SvxMSDffManager::SeekToRec( SvStream& rSt, sal_uInt16 nRecId, sal_uLong nMa
do
{
rSt >> aHd;
+ if (!rSt.good())
+ break;
if ( aHd.nRecType == nRecId )
{
if ( nSkipCount )
@@ -3431,9 +3433,13 @@ bool SvxMSDffManager::SeekToRec( SvStream& rSt, sal_uInt16 nRecId, sal_uLong nMa
}
}
if ( !bRet )
- aHd.SeekToEndOfRecord( rSt );
+ {
+ bool bSeekSuccess = aHd.SeekToEndOfRecord( rSt );
+ if (!bSeekSuccess)
+ break;
+ }
}
- while ( rSt.GetError() == 0 && rSt.Tell() < nMaxFilePos && !bRet );
+ while ( rSt.good() && rSt.Tell() < nMaxFilePos && !bRet );
if ( !bRet )
rSt.Seek( nFPosMerk ); // FilePos restaurieren
return bRet;
@@ -6018,10 +6024,17 @@ void SvxMSDffManager::GetFidclData( sal_uInt32 nOffsDggL )
if ( mnIdClusters-- > 2 )
{
- if ( aDggAtomHd.nRecLen == ( mnIdClusters * sizeof( FIDCL ) + 16 ) )
+ const sal_Size nFIDCLsize = sizeof(sal_uInt32) * 2;
+ if ( aDggAtomHd.nRecLen == ( mnIdClusters * nFIDCLsize + 16 ) )
{
+ sal_Size nMaxEntriesPossible = rStCtrl.remainingSize() / nFIDCLsize;
+ SAL_WARN_IF(nMaxEntriesPossible < mnIdClusters,
+ "escher", "FIDCL list longer than remaining bytes, ppt or parser is wrong");
+ mnIdClusters = std::min(nMaxEntriesPossible, static_cast<sal_Size>(mnIdClusters));
+
mpFidcls = new FIDCL[ mnIdClusters ];
- for ( sal_uInt32 i = 0; i < mnIdClusters; i++ )
+ memset(mpFidcls, 0, mnIdClusters * sizeof(FIDCL));
+ for (sal_uInt32 i = 0; i < mnIdClusters; ++i)
{
rStCtrl >> mpFidcls[ i ].dgid
>> mpFidcls[ i ].cspidCur;
@@ -6814,6 +6827,8 @@ bool SvxMSDffManager::ReadCommonRecordHeader(DffRecordHeader& rRec,
rRec.nRecInstance, rRec.nRecType, rRec.nRecLen);
}
+sal_uInt32 nMaxLegalRecordLength = SAL_MAX_UINT32 - DFF_COMMON_RECORD_HEADER_SIZE;
+
/* also static */
bool SvxMSDffManager::ReadCommonRecordHeader(SvStream& rSt,
sal_uInt8& rVer, sal_uInt16& rInst, sal_uInt16& rFbt, sal_uInt32& rLength)
@@ -6822,7 +6837,11 @@ bool SvxMSDffManager::ReadCommonRecordHeader(SvStream& rSt,
rSt >> nTmp >> rFbt >> rLength;
rVer = sal::static_int_cast< sal_uInt8 >(nTmp & 15);
rInst = nTmp >> 4;
- return rSt.good();
+ if (!rSt.good())
+ return false;
+ if (rLength > nMaxLegalRecordLength)
+ return false;
+ return true;
}
sal_Bool SvxMSDffManager::ProcessClientAnchor(SvStream& rStData, sal_uInt32 nDatLen,
More information about the Libreoffice-commits
mailing list