[Libreoffice-commits] .: Branch 'libreoffice-3-5' - filter/source

Caolán McNamara caolan at kemper.freedesktop.org
Fri Dec 16 03:37:32 PST 2011


 filter/source/msfilter/msdffimp.cxx |   31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

New commits:
commit 5ec1a1dff4783437ba8f6b22db166aa10a1e9e69
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Dec 16 11:31:35 2011 +0000

    avoid looping on busted escher records
    (cherry picked from commit 512401decb286ba0fc3031939b8f7de8649c502e)
    
    Signed-off-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx
index 6853c13..afc272a 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -3380,7 +3380,7 @@ sal_Bool SvxMSDffManager::SeekToShape( SvStream& rSt, void* /* pClientData */, s
                 rSt >> aEscherF002Hd;
                 sal_uLong nEscherF002End = aEscherF002Hd.GetRecEndFilePos();
                 DffRecordHeader aEscherObjListHd;
-                while ( rSt.Tell() < nEscherF002End )
+                while (rSt.good() && rSt.Tell() < nEscherF002End)
                 {
                     rSt >> aEscherObjListHd;
                     if ( aEscherObjListHd.nRecVer != 0xf )
@@ -3417,6 +3417,8 @@ bool SvxMSDffManager::SeekToRec( SvStream& rSt, sal_uInt16 nRecId, sal_uLong nMa
     do
     {
         rSt >> aHd;
+        if (!rSt.good())
+            break;
         if ( aHd.nRecType == nRecId )
         {
             if ( nSkipCount )
@@ -3431,9 +3433,13 @@ bool SvxMSDffManager::SeekToRec( SvStream& rSt, sal_uInt16 nRecId, sal_uLong nMa
             }
         }
         if ( !bRet )
-            aHd.SeekToEndOfRecord( rSt );
+        {
+            bool bSeekSuccess = aHd.SeekToEndOfRecord( rSt );
+            if (!bSeekSuccess)
+                break;
+        }
     }
-    while ( rSt.GetError() == 0 && rSt.Tell() < nMaxFilePos && !bRet );
+    while ( rSt.good() && rSt.Tell() < nMaxFilePos && !bRet );
     if ( !bRet )
         rSt.Seek( nFPosMerk );  // FilePos restaurieren
     return bRet;
@@ -6018,10 +6024,17 @@ void SvxMSDffManager::GetFidclData( sal_uInt32 nOffsDggL )
 
             if ( mnIdClusters-- > 2 )
             {
-                if ( aDggAtomHd.nRecLen == ( mnIdClusters * sizeof( FIDCL ) + 16 ) )
+                const sal_Size nFIDCLsize = sizeof(sal_uInt32) * 2;
+                if ( aDggAtomHd.nRecLen == ( mnIdClusters * nFIDCLsize + 16 ) )
                 {
+                    sal_Size nMaxEntriesPossible = rStCtrl.remainingSize() / nFIDCLsize;
+                    SAL_WARN_IF(nMaxEntriesPossible < mnIdClusters,
+                        "escher", "FIDCL list longer than remaining bytes, ppt or parser is wrong");
+                    mnIdClusters = std::min(nMaxEntriesPossible, static_cast<sal_Size>(mnIdClusters));
+
                     mpFidcls = new FIDCL[ mnIdClusters ];
-                    for ( sal_uInt32 i = 0; i < mnIdClusters; i++ )
+                    memset(mpFidcls, 0, mnIdClusters * sizeof(FIDCL));
+                    for (sal_uInt32 i = 0; i < mnIdClusters; ++i)
                     {
                         rStCtrl >> mpFidcls[ i ].dgid
                                 >> mpFidcls[ i ].cspidCur;
@@ -6814,6 +6827,8 @@ bool SvxMSDffManager::ReadCommonRecordHeader(DffRecordHeader& rRec,
         rRec.nRecInstance, rRec.nRecType, rRec.nRecLen);
 }
 
+sal_uInt32 nMaxLegalRecordLength = SAL_MAX_UINT32 - DFF_COMMON_RECORD_HEADER_SIZE;
+
 /* also static */
 bool SvxMSDffManager::ReadCommonRecordHeader(SvStream& rSt,
     sal_uInt8& rVer, sal_uInt16& rInst, sal_uInt16& rFbt, sal_uInt32& rLength)
@@ -6822,7 +6837,11 @@ bool SvxMSDffManager::ReadCommonRecordHeader(SvStream& rSt,
     rSt >> nTmp >> rFbt >> rLength;
     rVer = sal::static_int_cast< sal_uInt8 >(nTmp & 15);
     rInst = nTmp >> 4;
-    return rSt.good();
+    if (!rSt.good())
+        return false;
+    if (rLength > nMaxLegalRecordLength)
+        return false;
+    return true;
 }
 
 sal_Bool SvxMSDffManager::ProcessClientAnchor(SvStream& rStData, sal_uInt32 nDatLen,


More information about the Libreoffice-commits mailing list