[Libreoffice-commits] core.git: Branch 'libreoffice-5-0' - sw/qa sw/source

[Caolán McNamara]

 sw/qa/core/data/ww8/pass/crash-3.doc |binary
 sw/source/filter/ww8/ww8par.cxx      |   13 ++++++-------
 sw/source/filter/ww8/ww8scan.cxx     |    8 ++++----
 sw/source/filter/ww8/ww8scan.hxx     |    2 +-
 4 files changed, 11 insertions(+), 12 deletions(-)

New commits:
commit 502ca93741bebf6d9c6d2e83cac7b43742078e3e
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Aug 20 09:31:30 2015 +0100

    sanitize lcbCmds length
    
    Change-Id: I795ac35c80d7b61d7a9afbeae0d6d4bb789e16f8
    (cherry picked from commit 721f5b054e013cc2867051bef75d6488fdb583a8)
    Reviewed-on: https://gerrit.libreoffice.org/17869
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Michael Stahl <mstahl at redhat.com>

diff --git a/sw/qa/core/data/ww8/pass/crash-3.doc b/sw/qa/core/data/ww8/pass/crash-3.doc
new file mode 100644
index 0000000..d36afef
Binary files /dev/null and b/sw/qa/core/data/ww8/pass/crash-3.doc differ
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index f07ddff75..7c4ef80 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -4652,15 +4652,14 @@ void SwWW8ImplReader::StoreMacroCmds()
         {
             uno::Reference < io::XStream > xStream =
                     xRoot->openStreamElement( OUString(SL::aMSMacroCmds), embed::ElementModes::READWRITE );
-            SvStream* pStream = ::utl::UcbStreamHelper::CreateStream( xStream );
+            std::unique_ptr<SvStream> xOutStream(::utl::UcbStreamHelper::CreateStream(xStream));
 
-            sal_uInt8 *pBuffer = new sal_uInt8[m_pWwFib->lcbCmds];
-            m_pWwFib->lcbCmds = m_pTableStream->Read(pBuffer, m_pWwFib->lcbCmds);
-            pStream->Write(pBuffer, m_pWwFib->lcbCmds);
-            delete[] pBuffer;
-            delete pStream;
+            sal_uInt32 lcbCmds = std::min<sal_uInt32>(m_pWwFib->lcbCmds, m_pTableStream->remainingSize());
+            std::unique_ptr<sal_uInt8[]> xBuffer(new sal_uInt8[lcbCmds]);
+            m_pWwFib->lcbCmds = m_pTableStream->Read(xBuffer.get(), lcbCmds);
+            xOutStream->Write(xBuffer.get(), m_pWwFib->lcbCmds);
         }
-        catch ( const uno::Exception& )
+        catch (...)
         {
         }
     }
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 5ffe258..1595f50 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -5204,14 +5204,14 @@ namespace
     {
         if (eVer <= ww::eWW2)
         {
-            sal_uInt16 nShort;
-            rSt.ReadUInt16( nShort );
+            sal_uInt16 nShort(0);
+            rSt.ReadUInt16(nShort);
             return nShort;
         }
         else
         {
-            sal_uInt32 nLong;
-            rSt.ReadUInt32( nLong );
+            sal_uInt32 nLong(0);
+            rSt.ReadUInt32(nLong);
             return nLong;
         }
     }
diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
index 0d6ac94..e1002f7 100644
--- a/sw/source/filter/ww8/ww8scan.hxx
+++ b/sw/source/filter/ww8/ww8scan.hxx
@@ -1269,7 +1269,7 @@ public:
     sal_Int32 lcbPlcfbkl;   // 0x114 sal_Int32
 
     WW8_FC fcCmds;      // 0x118 FC
-    sal_Int32 lcbCmds;      // 0x11c
+    sal_uInt32 lcbCmds;      // 0x11c
 
     WW8_FC fcPlcfmcr;       // 0x120 FC
     sal_Int32 lcbPlcfmcr;       // 0x124