[Libreoffice-commits] .: sw/source
Caolán McNamara
caolan at kemper.freedesktop.org
Thu Jul 21 02:35:16 PDT 2011
sw/source/filter/ww8/wrtww8.cxx | 11 +++---
sw/source/filter/ww8/ww8graf.cxx | 66 +++++++++++++++++++++++++++------------
sw/source/filter/ww8/ww8par.cxx | 35 +++++++++++---------
sw/source/filter/ww8/ww8par2.cxx | 6 +--
sw/source/filter/ww8/ww8par6.cxx | 8 ++--
sw/source/filter/ww8/ww8scan.cxx | 26 +++++++++------
6 files changed, 95 insertions(+), 57 deletions(-)
New commits:
commit b77c9a6716a76fb0ccea9a389482ac9dfdf7dce4
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Jul 21 09:16:24 2011 +0100
check reads and seeks
diff --git a/sw/source/filter/ww8/wrtww8.cxx b/sw/source/filter/ww8/wrtww8.cxx
index 732b8f2..f657ad0 100644
--- a/sw/source/filter/ww8/wrtww8.cxx
+++ b/sw/source/filter/ww8/wrtww8.cxx
@@ -2875,10 +2875,10 @@ namespace
rIn.Seek(0);
sal_uInt8 in[WW_BLOCKSIZE];
- for (sal_uLong nI = 0, nBlock = 0; nI < nLen; nI += WW_BLOCKSIZE, ++nBlock)
+ for (sal_Size nI = 0, nBlock = 0; nI < nLen; nI += WW_BLOCKSIZE, ++nBlock)
{
- sal_uLong nBS = (nLen - nI > WW_BLOCKSIZE) ? WW_BLOCKSIZE : nLen - nI;
- rIn.Read(in, nBS);
+ sal_Size nBS = (nLen - nI > WW_BLOCKSIZE) ? WW_BLOCKSIZE : nLen - nI;
+ nBS = rIn.Read(in, nBS);
rCtx.InitCipher(nBlock);
rCtx.Encode(in, nBS, in, nBS);
rOut.Write(in, nBS);
@@ -3510,8 +3510,9 @@ void WW8Export::RestoreMacroCmds()
pStream->Seek(0);
sal_uInt8 *pBuffer = new sal_uInt8[pFib->lcbCmds];
- pStream->Read(pBuffer, pFib->lcbCmds);
- pTableStrm->Write(pBuffer, pFib->lcbCmds);
+ bool bReadOk = checkRead(*pStream, pBuffer, pFib->lcbCmds);
+ if (bReadOk)
+ pTableStrm->Write(pBuffer, pFib->lcbCmds);
delete[] pBuffer;
}
diff --git a/sw/source/filter/ww8/ww8graf.cxx b/sw/source/filter/ww8/ww8graf.cxx
index 7d01d31..492a5d3 100644
--- a/sw/source/filter/ww8/ww8graf.cxx
+++ b/sw/source/filter/ww8/ww8graf.cxx
@@ -98,7 +98,7 @@
#include <basegfx/point/b2dpoint.hxx>
#include <basegfx/polygon/b2dpolygon.hxx>
#include <editeng/editobj.hxx>
-
+#include <boost/scoped_ptr.hpp>
#include <math.h>
using ::editeng::SvxBorderLine;
@@ -182,7 +182,11 @@ bool SwWW8ImplReader::ReadGrafStart(void* pData, short nDataSiz,
pStrm->SeekRel(SVBT16ToShort(pHd->cb) - sizeof(WW8_DPHEAD));
return false;
}
- pStrm->Read(pData, nDataSiz);
+
+ bool bCouldRead = checkRead(*pStrm, pData, nDataSiz);
+ OSL_ENSURE(bCouldRead, "Short Graphic header");
+ if (!bCouldRead)
+ return false;
RndStdIds eAnchor = (SVBT8ToByte(pDo->by) < 2) ? FLY_AT_PAGE : FLY_AT_PARA;
rSet.Put(SwFmtAnchor(eAnchor));
@@ -443,20 +447,24 @@ SdrObject* SwWW8ImplReader::ReadPolyLine( WW8_DPHEAD* pHd, const WW8_DO* pDo,
return 0;
sal_uInt16 nCount = SVBT16ToShort( aPoly.aBits1 ) >> 1 & 0x7fff;
- SVBT16 *pP = new SVBT16[nCount * 2];
- pStrm->Read( pP, nCount * 4 ); // Punkte einlesen
+ boost::scoped_array<SVBT16> xP(new SVBT16[nCount * 2]);
+
+ bool bCouldRead = checkRead(*pStrm, xP.get(), nCount * 4); // Punkte einlesen
+ OSL_ENSURE(bCouldRead, "Short PolyLine header");
+ if (!bCouldRead)
+ return 0;
+
Polygon aP( nCount );
Point aPt;
- sal_uInt16 i;
-
- for( i=0; i<nCount; i++ ){
- aPt.X() = SVBT16ToShort( pP[i << 1] ) + nDrawXOfs2
+ for (sal_uInt16 i=0; i<nCount; ++i)
+ {
+ aPt.X() = SVBT16ToShort( xP[i << 1] ) + nDrawXOfs2
+ (sal_Int16)SVBT16ToShort( pHd->xa );
- aPt.Y() = SVBT16ToShort( pP[( i << 1 ) + 1] ) + nDrawYOfs2
+ aPt.Y() = SVBT16ToShort( xP[( i << 1 ) + 1] ) + nDrawYOfs2
+ (sal_Int16)SVBT16ToShort( pHd->ya );
aP[i] = aPt;
}
- delete[] pP;
+ xP.reset();
SdrObject* pObj = new SdrPathObj(( SVBT16ToShort( aPoly.aBits1 ) & 0x1 ) ? OBJ_POLY : OBJ_PLIN, ::basegfx::B2DPolyPolygon(aP.getB2DPolygon()));
SetStdAttr( rSet, aPoly.aLnt, aPoly.aShd );
@@ -1248,10 +1256,15 @@ SdrObject* SwWW8ImplReader::ReadCaptionBox( WW8_DPHEAD* pHd, const WW8_DO* pDo,
return 0;
sal_uInt16 nCount = SVBT16ToShort( aCallB.dpPolyLine.aBits1 ) >> 1 & 0x7fff;
- SVBT16 *pP = new SVBT16[nCount * 2];
- pStrm->Read( pP, nCount * 4 ); // Punkte einlesen
+ boost::scoped_array<SVBT16> xP(new SVBT16[nCount * 2]);
+
+ bool bCouldRead = checkRead(*pStrm, xP.get(), nCount * 4); // Punkte einlesen
+ OSL_ENSURE(bCouldRead, "Short CaptionBox header");
+ if (!bCouldRead)
+ return 0;
+
sal_uInt8 nTyp = (sal_uInt8)nCount - 1;
- if( nTyp == 1 && SVBT16ToShort( pP[0] ) == SVBT16ToShort( pP[2] ) )
+ if( nTyp == 1 && SVBT16ToShort( xP[0] ) == SVBT16ToShort( xP[2] ) )
nTyp = 0;
Point aP0( (sal_Int16)SVBT16ToShort( pHd->xa ) +
@@ -1263,11 +1276,11 @@ SdrObject* SwWW8ImplReader::ReadCaptionBox( WW8_DPHEAD* pHd, const WW8_DO* pDo,
aP1.Y() += (sal_Int16)SVBT16ToShort( aCallB.dpheadTxbx.dya );
Point aP2( (sal_Int16)SVBT16ToShort( pHd->xa )
+ (sal_Int16)SVBT16ToShort( aCallB.dpheadPolyLine.xa )
- + nDrawXOfs2 + (sal_Int16)SVBT16ToShort( pP[0] ),
+ + nDrawXOfs2 + (sal_Int16)SVBT16ToShort( xP[0] ),
(sal_Int16)SVBT16ToShort( pHd->ya )
+ (sal_Int16)SVBT16ToShort( aCallB.dpheadPolyLine.ya )
- + nDrawYOfs2 + (sal_Int16)SVBT16ToShort( pP[1] ) );
- delete[] pP;
+ + nDrawYOfs2 + (sal_Int16)SVBT16ToShort( xP[1] ) );
+ xP.reset();
SdrCaptionObj* pObj = new SdrCaptionObj( Rectangle( aP0, aP1 ), aP2 );
pObj->SetModel( pDrawModel );
@@ -1334,7 +1347,13 @@ SdrObject* SwWW8ImplReader::ReadGrafPrimitive( short& rLeft, const WW8_DO* pDo,
//into an object hierarachy with a little effort.
SdrObject *pRet=0;
WW8_DPHEAD aHd; // Lese Draw-Primitive-Header
- pStrm->Read(&aHd, sizeof(WW8_DPHEAD));
+ bool bCouldRead = checkRead(*pStrm, &aHd, sizeof(WW8_DPHEAD));
+ OSL_ENSURE(bCouldRead, "Graphic Primitive header short read" );
+ if (!bCouldRead)
+ {
+ rLeft=0;
+ return pRet;
+ }
if( rLeft >= SVBT16ToShort(aHd.cb) ) // Vorsichtsmassmahme
{
@@ -1394,9 +1413,18 @@ void SwWW8ImplReader::ReadGrafLayer1( WW8PLCFspecial* pPF, long nGrafAnchorCp )
OSL_ENSURE( !this, "+Wo ist die Grafik (3) ?" );
return;
}
+
+ bool bCouldSeek = checkSeek(*pStrm, SVBT32ToUInt32(pF->fc));
+ OSL_ENSURE(bCouldSeek, "Invalid Graphic offset");
+ if (!bCouldSeek)
+ return;
+
+ // Lese Draw-Header
WW8_DO aDo;
- pStrm->Seek( SVBT32ToUInt32( pF->fc ) ); // Lese Draw-Header
- pStrm->Read( &aDo, sizeof( WW8_DO ) );
+ bool bCouldRead = checkRead(*pStrm, &aDo, sizeof(WW8_DO));
+ OSL_ENSURE(bCouldRead, "Short Graphic header");
+ if (!bCouldRead)
+ return;
short nLeft = SVBT16ToShort( aDo.cb ) - sizeof( WW8_DO );
while (nLeft > static_cast<short>(sizeof(WW8_DPHEAD)))
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index 99e2fbf..9932661 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -4136,7 +4136,7 @@ void SwWW8ImplReader::StoreMacroCmds()
SvStream* pStream = ::utl::UcbStreamHelper::CreateStream( xStream );
sal_uInt8 *pBuffer = new sal_uInt8[pWwFib->lcbCmds];
- pTableStream->Read(pBuffer, pWwFib->lcbCmds);
+ pWwFib->lcbCmds = pTableStream->Read(pBuffer, pWwFib->lcbCmds);
pStream->Write(pBuffer, pWwFib->lcbCmds);
delete[] pBuffer;
delete pStream;
@@ -4829,7 +4829,7 @@ namespace
for (sal_Size nI = 0, nBlock = 0; nI < nLen; nI += WW_BLOCKSIZE, ++nBlock)
{
sal_Size nBS = (nLen - nI > WW_BLOCKSIZE) ? WW_BLOCKSIZE : nLen - nI;
- rIn.Read(in, nBS);
+ nBS = rIn.Read(in, nBS);
rCtx.InitCipher(nBlock);
rCtx.Decode(in, nBS, in, nBS);
rOut.Write(in, nBS);
@@ -4838,19 +4838,19 @@ namespace
void DecryptXOR(msfilter::MSCodec_XorWord95 &rCtx, SvStream &rIn, SvStream &rOut)
{
- sal_uLong nSt = rIn.Tell();
+ sal_Size nSt = rIn.Tell();
rIn.Seek(STREAM_SEEK_TO_END);
- sal_uLong nLen = rIn.Tell();
+ sal_Size nLen = rIn.Tell();
rIn.Seek(nSt);
rCtx.InitCipher();
rCtx.Skip(nSt);
sal_uInt8 in[0x4096];
- for (sal_uLong nI = nSt; nI < nLen; nI += 0x4096)
+ for (sal_Size nI = nSt; nI < nLen; nI += 0x4096)
{
- sal_uLong nBS = (nLen - nI > 0x4096 ) ? 0x4096 : nLen - nI;
- rIn.Read(in, nBS);
+ sal_Size nBS = (nLen - nI > 0x4096 ) ? 0x4096 : nLen - nI;
+ nBS = rIn.Read(in, nBS);
rCtx.Decode(in, nBS);
rOut.Write(in, nBS);
}
@@ -5056,7 +5056,7 @@ sal_uLong SwWW8ImplReader::LoadThroughDecryption(SwPaM& rPaM ,WW8Glossary *pGlos
size_t nUnencryptedHdr =
(8 == pWwFib->nVersion) ? 0x44 : 0x34;
sal_uInt8 *pIn = new sal_uInt8[nUnencryptedHdr];
- pStrm->Read(pIn, nUnencryptedHdr);
+ nUnencryptedHdr = pStrm->Read(pIn, nUnencryptedHdr);
aDecryptMain.Write(pIn, nUnencryptedHdr);
delete [] pIn;
@@ -5087,17 +5087,20 @@ sal_uLong SwWW8ImplReader::LoadThroughDecryption(SwPaM& rPaM ,WW8Glossary *pGlos
break;
case RC4:
{
- msfilter::MSCodec_Std97 aCtx;
-
sal_uInt8 aDocId[ 16 ];
- pTableStream->Read(aDocId, 16);
sal_uInt8 aSaltData[ 16 ];
- pTableStream->Read(aSaltData, 16);
sal_uInt8 aSaltHash[ 16 ];
- pTableStream->Read(aSaltHash, 16);
+ bool bCouldReadHeaders =
+ checkRead(*pTableStream, aDocId, 16) &&
+ checkRead(*pTableStream, aSaltData, 16) &&
+ checkRead(*pTableStream, aSaltHash, 16);
+
+ msfilter::MSCodec_Std97 aCtx;
// if initialization has failed the EncryptionData should be empty
- uno::Sequence< beans::NamedValue > aEncryptionData = InitStd97Codec( aCtx, aDocId, *pMedium );
+ uno::Sequence< beans::NamedValue > aEncryptionData;
+ if (bCouldReadHeaders)
+ aEncryptionData = InitStd97Codec( aCtx, aDocId, *pMedium );
if ( aEncryptionData.getLength() && aCtx.VerifyKey( aSaltData, aSaltHash ) )
{
nErrRet = 0;
@@ -5105,9 +5108,9 @@ sal_uLong SwWW8ImplReader::LoadThroughDecryption(SwPaM& rPaM ,WW8Glossary *pGlos
pTempMain = MakeTemp(aDecryptMain);
pStrm->Seek(0);
- const sal_Size nUnencryptedHdr = 0x44;
+ sal_Size nUnencryptedHdr = 0x44;
sal_uInt8 *pIn = new sal_uInt8[nUnencryptedHdr];
- pStrm->Read(pIn, nUnencryptedHdr);
+ nUnencryptedHdr = pStrm->Read(pIn, nUnencryptedHdr);
DecryptRC4(aCtx, *pStrm, aDecryptMain);
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index ad0ec3c..79e930d 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -3694,8 +3694,7 @@ static inline short WW8SkipOdd(SvStream* pSt )
if ( pSt->Tell() & 0x1 )
{
sal_uInt8 c;
- pSt->Read( &c, 1 );
- return 1;
+ return pSt->Read( &c, 1 );
}
return 0;
}
@@ -3705,8 +3704,7 @@ static inline short WW8SkipEven(SvStream* pSt )
if (!(pSt->Tell() & 0x1))
{
sal_uInt8 c;
- pSt->Read( &c, 1 );
- return 1;
+ return pSt->Read( &c, 1 );
}
return 0;
}
diff --git a/sw/source/filter/ww8/ww8par6.cxx b/sw/source/filter/ww8/ww8par6.cxx
index 9870083..578a3a6 100644
--- a/sw/source/filter/ww8/ww8par6.cxx
+++ b/sw/source/filter/ww8/ww8par6.cxx
@@ -1689,10 +1689,11 @@ void WW8FlyPara::ReadFull(sal_uInt8 nOrigSp29, SwWW8ImplReader* pIo)
bGrafApo = false;
do{ // Block zum rausspringen
-
sal_uInt8 nTxt[2];
- pIoStrm->Read( nTxt, 2 ); // lies Text
+ if (!checkRead(*pIoStrm, nTxt, 2)) // lies Text
+ break;
+
if( nTxt[0] != 0x01 || nTxt[1] != 0x0d )// nur Grafik + CR ?
break; // Nein
@@ -1703,7 +1704,8 @@ void WW8FlyPara::ReadFull(sal_uInt8 nOrigSp29, SwWW8ImplReader* pIo)
const sal_uInt8* pS = pPap->HasSprm( bVer67 ? 29 : 0x261B );
// Nein -> Grafik-Apo
- if( !pS ){
+ if (!pS)
+ {
bGrafApo = true;
break; // Ende des APO
}
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 5bfd5de..3782dfd 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -1541,7 +1541,7 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF )
*pStr >> nLen;
nLeft -= 2 + nLen;
if( nLeft < 0 )
- return 0; // schiefgegangen
+ return NULL; // schiefgegangen
pStr->SeekRel( nLen ); // ueberlies grpprl
}
@@ -1564,12 +1564,16 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF )
*pStr >> nLen;
nLeft -= 2 + nLen;
if( nLeft < 0 )
- return 0; // schiefgegangen
+ return NULL; // schiefgegangen
if( 1 == clxt ) // clxtGrpprl ?
{
sal_uInt8* p = new sal_uInt8[nLen+2]; // alloziere
ShortToSVBT16(nLen, p); // trage Laenge ein
- pStr->Read( p+2, nLen ); // lies grpprl
+ if (!checkRead(*pStr, p+2, nLen)) // lies grpprl
+ {
+ delete[] p;
+ return NULL;
+ }
pPieceGrpprls[nAktGrpprl++] = p; // trage in Array ein
}
else
@@ -2510,20 +2514,22 @@ WW8PLCFx_Fc_FKP::WW8Fkp::WW8Fkp(ww::WordVersion eVersion, SvStream* pSt,
: nItemSize(nItemSiz), nFilePos(_nFilePos), mnIdx(0), ePLCF(ePl),
maSprmParser(eVersion)
{
- long nOldPos = pSt->Tell();
-
- pSt->Seek(nFilePos);
memset(maRawData, 0, 512);
- pSt->Read(maRawData, 512);
- mnIMax = maRawData[511];
+
+ sal_Size nOldPos = pSt->Tell();
+
+ bool bCouldSeek = checkSeek(*pSt, nFilePos);
+ bool bCouldRead = bCouldSeek ? checkRead(*pSt, maRawData, 512) : false;
+
+ mnIMax = bCouldRead ? maRawData[511] : 0;
sal_uInt8 *pStart = maRawData;
// Offset-Location in maRawData
- size_t nRawDataStart = (mnIMax + 1) * 4;
+ const size_t nRawDataStart = (mnIMax + 1) * 4;
for (mnIdx = 0; mnIdx < mnIMax; ++mnIdx)
{
- size_t nRawDataOffset = nRawDataStart + mnIdx * nItemSize;
+ const size_t nRawDataOffset = nRawDataStart + mnIdx * nItemSize;
//clip to available data, corrupt fkp
if (nRawDataOffset >= 511)
More information about the Libreoffice-commits
mailing list