[Libreoffice-commits] .: sc/source

Markus Mohrhard mmohrhard at kemper.freedesktop.org
Thu Jul 5 13:07:13 PDT 2012 

 sc/source/filter/excel/xistream.cxx          |    4 +++-
 sc/source/filter/xcl97/XclImpChangeTrack.cxx |   13 ++++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

New commits:
commit 1b57e80858dd61986bea6da7358d9f8433d9685e
Author: Markus Mohrhard <markus.mohrhard at googlemail.com>
Date:   Thu Jul 5 21:59:55 2012 +0200

    prevent invalid memory when loading change tracking from xls, fdo#45209
    
    when loading broken xls files with change tracking we may crash because
    of invalid memory access that results from loading to few bytes and then
    using the originally created array
    
    the patch changes it to check for the right amount of loaded bytes and
    otherwise skips this change tracking record
    
    Change-Id: I0795104284479368e26b8411336cee690abffd06

diff --git a/sc/source/filter/excel/xistream.cxx b/sc/source/filter/excel/xistream.cxx
index 753839c..8cd9980 100644
--- a/sc/source/filter/excel/xistream.cxx
+++ b/sc/source/filter/excel/xistream.cxx
@@ -822,7 +822,9 @@ sal_Size XclImpStream::CopyToStream( SvStream& rOutStrm, sal_Size nBytes )
         {
             sal_Size nReadSize = ::std::min( nBytesLeft, nMaxBuffer );
             nRet += Read( pnBuffer, nReadSize );
-            rOutStrm.Write( pnBuffer, nReadSize );
+            // writing more bytes than read results in invalid memory access
+            SAL_WARN_IF(nRet != nReadSize, "sc", "read less bytes than requested");
+            rOutStrm.Write( pnBuffer, nRet );
             nBytesLeft -= nReadSize;
         }
 
diff --git a/sc/source/filter/xcl97/XclImpChangeTrack.cxx b/sc/source/filter/xcl97/XclImpChangeTrack.cxx
index 926c537..ecb8b6e 100644
--- a/sc/source/filter/xcl97/XclImpChangeTrack.cxx
+++ b/sc/source/filter/xcl97/XclImpChangeTrack.cxx
@@ -197,7 +197,18 @@ void XclImpChangeTrack::ReadFormula( ScTokenArray*& rpTokenArray, const ScAddres
     // converter in each formula)
     SvMemoryStream aMemStrm;
     aMemStrm << (sal_uInt16) 0x0001 << nFmlSize;
-    pStrm->CopyToStream( aMemStrm, nFmlSize );
+    size_t nRead = pStrm->CopyToStream( aMemStrm, nFmlSize );
+
+    // survive reading invalid streams!
+    // if we can't read as many bytes as required just don't use them and
+    // assume that this part is broken
+    if(nRead != nFmlSize)
+    {
+        rpTokenArray = NULL;
+        pStrm->Ignore(1);
+        return;
+    }
+
     XclImpStream aFmlaStrm( aMemStrm, GetRoot() );
     aFmlaStrm.StartNextRecord();
     XclImpChTrFmlConverter aFmlConv( GetRoot(), *this );

More information about the Libreoffice-commits mailing list