[Libreoffice-commits] .: sw/source
Caolán McNamara
caolan at kemper.freedesktop.org
Tue Jul 5 03:05:16 PDT 2011
sw/source/filter/ww8/ww8scan.cxx | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
New commits:
commit 3b118585285fea68f28bffc970e5d45697a782f1
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Jul 5 11:04:35 2011 +0100
clip bad FKP entries to available space
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 36e7148..4ea24f7 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -2458,12 +2458,29 @@ WW8PLCFx_Fc_FKP::WW8Fkp::WW8Fkp(ww::WordVersion eVersion, SvStream* pSt,
mnIMax = maRawData[511];
sal_uInt8 *pStart = maRawData;
- // Pointer to Offset-Location in maRawData
- sal_uInt8* pOfs = maRawData + (mnIMax + 1) * 4;
+ // Offset-Location in maRawData
+ size_t nRawDataStart = (mnIMax + 1) * 4;
for (mnIdx = 0; mnIdx < mnIMax; ++mnIdx)
{
- unsigned int nOfs = (*(pOfs + mnIdx * nItemSize)) * 2;
+ size_t nRawDataOffset = nRawDataStart + mnIdx * nItemSize;
+
+ //clip to available data, corrupt fkp
+ if (nRawDataOffset >= 511)
+ {
+ mnIMax = mnIdx;
+ break;
+ }
+
+ unsigned int nOfs = maRawData[nRawDataStart] * 2;
+
+ //clip to available data, corrupt fkp
+ if (nOfs >= 511)
+ {
+ mnIMax = mnIdx;
+ break;
+ }
+
Entry aEntry(Get_Long(pStart));
if (nOfs)
More information about the Libreoffice-commits
mailing list