[Libreoffice-commits] core.git: Branch 'libreoffice-4-4' - sw/qa sw/source

[Caolán McNamara]

 sw/qa/core/data/ww8/pass/crash-3.doc |binary
 sw/source/filter/ww8/ww8par.cxx      |   13 ++++++-------
 sw/source/filter/ww8/ww8scan.cxx     |    8 ++++----
 sw/source/filter/ww8/ww8scan.hxx     |    2 +-
 4 files changed, 11 insertions(+), 12 deletions(-)

New commits:
commit eb64a9b38d5f98dca9de71e26598d839fd5eb535
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Aug 20 09:31:30 2015 +0100

    sanitize lcbCmds length
    
    (cherry picked from commit 721f5b054e013cc2867051bef75d6488fdb583a8)
    
    Change-Id: I795ac35c80d7b61d7a9afbeae0d6d4bb789e16f8
    Reviewed-on: https://gerrit.libreoffice.org/17870
    Reviewed-by: Michael Stahl <mstahl at redhat.com>
    Tested-by: Michael Stahl <mstahl at redhat.com>

diff --git a/sw/qa/core/data/ww8/pass/crash-3.doc b/sw/qa/core/data/ww8/pass/crash-3.doc
new file mode 100644
index 0000000..d36afef
Binary files /dev/null and b/sw/qa/core/data/ww8/pass/crash-3.doc differ
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index 7ccb338..b7c8bbb 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -4650,15 +4650,14 @@ void SwWW8ImplReader::StoreMacroCmds()
         {
             uno::Reference < io::XStream > xStream =
                     xRoot->openStreamElement( OUString(SL::aMSMacroCmds), embed::ElementModes::READWRITE );
-            SvStream* pStream = ::utl::UcbStreamHelper::CreateStream( xStream );
+            std::unique_ptr<SvStream> xOutStream(::utl::UcbStreamHelper::CreateStream(xStream));
 
-            sal_uInt8 *pBuffer = new sal_uInt8[pWwFib->lcbCmds];
-            pWwFib->lcbCmds = pTableStream->Read(pBuffer, pWwFib->lcbCmds);
-            pStream->Write(pBuffer, pWwFib->lcbCmds);
-            delete[] pBuffer;
-            delete pStream;
+            sal_uInt32 lcbCmds = std::min<sal_uInt32>(pWwFib->lcbCmds, pTableStream->remainingSize());
+            std::unique_ptr<sal_uInt8[]> xBuffer(new sal_uInt8[lcbCmds]);
+            pWwFib->lcbCmds = pTableStream->Read(xBuffer.get(), lcbCmds);
+            xOutStream->Write(xBuffer.get(), pWwFib->lcbCmds);
         }
-        catch ( const uno::Exception& )
+        catch (...)
         {
         }
     }
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index b77936e..b3a9b1d 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -5185,14 +5185,14 @@ namespace
     {
         if (eVer <= ww::eWW2)
         {
-            sal_uInt16 nShort;
-            rSt.ReadUInt16( nShort );
+            sal_uInt16 nShort(0);
+            rSt.ReadUInt16(nShort);
             return nShort;
         }
         else
         {
-            sal_uInt32 nLong;
-            rSt.ReadUInt32( nLong );
+            sal_uInt32 nLong(0);
+            rSt.ReadUInt32(nLong);
             return nLong;
         }
     }
diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
index e054b9d..57e53e9 100644
--- a/sw/source/filter/ww8/ww8scan.hxx
+++ b/sw/source/filter/ww8/ww8scan.hxx
@@ -1281,7 +1281,7 @@ public:
     sal_Int32 lcbPlcfbkl;   // 0x114 sal_Int32
 
     WW8_FC fcCmds;      // 0x118 FC
-    sal_Int32 lcbCmds;      // 0x11c
+    sal_uInt32 lcbCmds;      // 0x11c
 
     WW8_FC fcPlcfmcr;       // 0x120 FC
     sal_Int32 lcbPlcfmcr;       // 0x124