[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - filter/source

Andras Timar andras.timar at collabora.com
Thu Nov 27 14:39:03 PST 2014 

 filter/source/msfilter/msdffimp.cxx |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

New commits:
commit 544ad733b8a97b62a68c7d0f60f13c8f699407dd
Author: Andras Timar <andras.timar at collabora.com>
Date:   Thu Nov 27 20:56:32 2014 +0100

    fdo#84686 prevent std::bad_alloc exception by stricter input check
    
    The bugdoc has invalid length (rh.recLen) in header of blipStore's
    OfficeArtFBSE record. Therefore LibreOffice read junk for the next
    BLIP, and tried to seek to an invalid stream position, which caused
    bad allocation exception on 32-bit systems.
    
    Change-Id: I72fae4c2b00216b57736f4409a32c62a40f25785
    (cherry picked from commit 6945971c79d70d77c5c8bb6593b3f25ef46b0887)

diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx
index 466faf6..be3c003 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -5798,8 +5798,7 @@ void SvxMSDffManager::GetCtrlData( sal_uInt32 nOffsDgg_ )
 }
 
 
-// from here on: Drawing Group Container  i.e. Ddocument-wide valid data
-//                      =======================           ========
+// from here on: Drawing Group Container  i.e. document-wide valid data
 
 void SvxMSDffManager::GetDrawingGroupContainerData( SvStream& rSt, sal_uLong nLenDgg )
 {
@@ -5839,7 +5838,7 @@ void SvxMSDffManager::GetDrawingGroupContainerData( SvStream& rSt, sal_uLong nLe
     {
         if(!ReadCommonRecordHeader( rSt, nVer, nInst, nFbt, nLength)) return;
         nRead += DFF_COMMON_RECORD_HEADER_SIZE + nLength;
-        if( DFF_msofbtBSE == nFbt )
+        if( DFF_msofbtBSE == nFbt && /* magic value from spec */ 0x2 == nVer )
         {
             nLenFBSE = nLength;
             // is FBSE big enough for our data
@@ -5876,8 +5875,9 @@ void SvxMSDffManager::GetDrawingGroupContainerData( SvStream& rSt, sal_uLong nLe
                 // now save the info for later access
                 pBLIPInfos->push_back( new SvxMSDffBLIPInfo( nInst, nBLIPPos, nBLIPLen ) );
             }
+            rSt.SeekRel( nLength );
         }
-        rSt.SeekRel( nLength );
+        else return; // invalid input
     }
     while( nRead < nLenBStoreCont );
 }

More information about the Libreoffice-commits mailing list