[Libreoffice-commits] core.git: sw/qa sw/source

[Caolán McNamara]

 sw/qa/core/data/ww8/pass/crash-3.doc |binary
 sw/source/filter/ww8/ww8par.cxx      |   13 ++++++-------
 sw/source/filter/ww8/ww8scan.cxx     |    8 ++++----
 sw/source/filter/ww8/ww8scan.hxx     |    2 +-
 4 files changed, 11 insertions(+), 12 deletions(-)

New commits:
commit 721f5b054e013cc2867051bef75d6488fdb583a8
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Aug 20 09:31:30 2015 +0100

    sanitize lcbCmds length
    
    Change-Id: I795ac35c80d7b61d7a9afbeae0d6d4bb789e16f8

diff --git a/sw/qa/core/data/ww8/pass/crash-3.doc b/sw/qa/core/data/ww8/pass/crash-3.doc
new file mode 100644
index 0000000..d36afef
Binary files /dev/null and b/sw/qa/core/data/ww8/pass/crash-3.doc differ
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index 695620d..21791a9 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -4651,15 +4651,14 @@ void SwWW8ImplReader::StoreMacroCmds()
         {
             uno::Reference < io::XStream > xStream =
                     xRoot->openStreamElement( OUString(SL::aMSMacroCmds), embed::ElementModes::READWRITE );
-            SvStream* pStream = ::utl::UcbStreamHelper::CreateStream( xStream );
+            std::unique_ptr<SvStream> xOutStream(::utl::UcbStreamHelper::CreateStream(xStream));
 
-            sal_uInt8 *pBuffer = new sal_uInt8[m_pWwFib->lcbCmds];
-            m_pWwFib->lcbCmds = m_pTableStream->Read(pBuffer, m_pWwFib->lcbCmds);
-            pStream->Write(pBuffer, m_pWwFib->lcbCmds);
-            delete[] pBuffer;
-            delete pStream;
+            sal_uInt32 lcbCmds = std::min<sal_uInt32>(m_pWwFib->lcbCmds, m_pTableStream->remainingSize());
+            std::unique_ptr<sal_uInt8[]> xBuffer(new sal_uInt8[lcbCmds]);
+            m_pWwFib->lcbCmds = m_pTableStream->Read(xBuffer.get(), lcbCmds);
+            xOutStream->Write(xBuffer.get(), m_pWwFib->lcbCmds);
         }
-        catch ( const uno::Exception& )
+        catch (...)
         {
         }
     }
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index a34dc30..bb5552a 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -5172,14 +5172,14 @@ namespace
     {
         if (eVer <= ww::eWW2)
         {
-            sal_uInt16 nShort;
-            rSt.ReadUInt16( nShort );
+            sal_uInt16 nShort(0);
+            rSt.ReadUInt16(nShort);
             return nShort;
         }
         else
         {
-            sal_uInt32 nLong;
-            rSt.ReadUInt32( nLong );
+            sal_uInt32 nLong(0);
+            rSt.ReadUInt32(nLong);
             return nLong;
         }
     }
diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
index 4be181b..53e5d47 100644
--- a/sw/source/filter/ww8/ww8scan.hxx
+++ b/sw/source/filter/ww8/ww8scan.hxx
@@ -1265,7 +1265,7 @@ public:
     sal_Int32 lcbPlcfbkl;   // 0x114 sal_Int32
 
     WW8_FC fcCmds;      // 0x118 FC
-    sal_Int32 lcbCmds;      // 0x11c
+    sal_uInt32 lcbCmds;      // 0x11c
 
     WW8_FC fcPlcfmcr;       // 0x120 FC
     sal_Int32 lcbPlcfmcr;       // 0x124